ENterprise Security PolicY

Mississippi Department of Human Services Enterprise Security Policy (ESP)

Executive Director John Davis

The MDHS staff below is responsible for oversight of the Enterprise Security Policy (ESP) for the MDHS Agency.

• Chief Systems Information Officer – Executive Level Approver • Director of IT Security Compliance – Administrator for ESP • Senior IT Security Engineer – Administrator for ESP

Last ESP Revision Date 01/24/2018

ENTERPRISE SECURITY POLICY | PAGE | 1

Table of Contents Executive Summary ................................................................................................................................... 2 Introduction .................................................................................................................................................. 3

Purpose ................................................................................................................................................... 3 Overview ................................................................................................................................................. 3 Use of Manual Guidance ...................................................................................................................... 3

Security Policy 100 - MDHS Information Technology (IT) Security Policy ........................................ 4 Security Policy 101 - MDHS IT Risk Assessment, Vulnerability Scanning and Review of Network Logs .............................................................................................................................................................. 8 Security Policy 102 - MDHS IT Acceptable Use Policy ...................................................................... 10 Security Policy 103 - MDHS IT Data Classification ............................................................................ 11 Security Policy 104 – MDHS IT Server Security ................................................................................. 13 Security Policy 105 – MDHS IT Email Security ................................................................................... 14 Security Policy 106 – MDHS IT Virus Prevention ............................................................................... 15 Security Policy 107 – MDHS IT Firewall Security ............................................................................... 16 Security Policy 108 – MDHS IT Data Encryption, Physical Security of Computers and Electronic and Removable Media ............................................................................................................................. 18 Security Policy 109 – MDHS IT Password Security ............................................................................ 20 Security Policy 110 – MDHS IT Mobile Device Security .................................................................... 22 Security Policy 111 - MDHS IT Application Security .......................................................................... 24 Security Policy 112 – MDHS IT Media Access Protection ................................................................. 26 Security Policy 113 – MDHS IT Wireless Access ............................................................................... 27 Security Policy 114 - MDHS IT Systems Access Control .................................................................. 28 Security Policy 115 - MDHS IT Internal Audit ...................................................................................... 30 Security Policy 116 – MDHS IT Security, Disclosure & Incident Response Awareness Training 32 Security Policy 117 – MDHS IT Configuration Management............................................................. 34 Security Policy 118 - MDHS IT Incident Response ............................................................................ 36 Security Policy 119 - MDHS IT Maintenance ....................................................................................... 39 Security Policy 120 - MDHS IT Personnel Security ............................................................................ 40 Security Policy 121 – MDHS IT Scanning & Use of MFD Policy ...................................................... 41 Security Policy 122 - MDHS IT System & Service Acquisitions ........................................................ 44 Security Policy 123 - MDHS IT Physical Security ............................................................................... 45 Security Policy 124 - MDHS IRS Publication 1075 Reporting........................................................... 47 Security Policy 125 – MDHS Additional IT Security Controls ............................................................ 48 Security Policy 126 – MDHS IRS Federal Tax Information Statistical Reporting ........................... 49 Security Policy 127 – MDHS IT FAX Policy ......................................................................................... 50 Security Policy 128 - MDHS IT Contingency Planning ....................................................................... 51 Security Policy 129 – MDHS IRS Background Investigation Requirements ................................... 53 Security Policy 130 - MDHS IT SSA Audit Record Guidelines ......................................................... 56 Security Policy 131 – MDHS Remote Access, Telework and Alternate Work Site Policy ............ 59 Security Policy 132 – MDHS Duplication of Sensitive Data Policy ................................................... 61 Enterprise Security Acronym List ........................................................................................................... 62 Enterprise Security Definition Glossary ................................................................................................ 63 References ................................................................................................................................................ 65 ESP Review Record 2016 ...................................................................................................................... 67 ESP Review Record 2015 ...................................................................................................................... 68


Executive Summary The Mississippi Department of Human Services has undertaken an aggressive role in

protecting the assets and information systems from occurrences that could adversely impact the citizens of Mississippi. Federal and State Guidelines require MDHS to have effective information security controls over Information Technology to support agency programs. As technology has grown more complex and open, the need for an effective IT Security Program for MDHS to have oversight of the vast information systems. The MDHS IT Security Program was created to provide agency wide oversight of all security functions to better protect the MDHS agency.

The MDHS IT Security Program takes a holistic approach in support of protecting employee and client information. The IT Security Program works to ensure that protective controls are in place that are commensurate with the level of sensitivity of the information resources that are owned and managed by MDHS. By formally defining process and policy, the IT Security Program assures consistency in the implementation of controls that will strengthen the overall MDHS security posture and support compliance with Federal and State Laws and Guidelines. Each MDHS division and office must be responsible in supporting MDHS IT security requirements.

The goal of the MDHS Enterprise Security Policy Manual and accompanying standards is

to provide guidelines for the minimum cyber security criteria needed to protect MDHS’s business critical functions and the information assets and technology’s that support them. The Manual is based on public laws, IRS Publication 1075, ITS Enterprise Security Policy, National Institute of Standards and Technology (NIST) Standards and Guidelines, and MDHS specific security issues, concerns, and experiences. This document provides a framework for divisions and offices to expand upon for mitigating risks to MDHS information assets and technologies.


Introduction

Purpose The purpose of the MDHS Enterprise Security Policy Manual and accompanying standards establishes policies for the management of risk that results from threats and vulnerabilities that could impact the confidentiality, integrity, and availability of information and information systems that are owned or managed by MDHS. Information is a vital agency asset and requires protection from unauthorized access, modification, disclosure or destruction. The following sets of policies are the requirements for information security practices that will govern the daily usage of MDHS information systems.

Overview Objectives of these IT security policies are to ensure that MDHS information is protected, and that information technology remains in compliance with state, and federal statutes and regulations. Specifically, MDHS seeks to be in compliance with ITS directives, Social Security Administration guidelines, Office of Child Support Enforcement Guidelines, Mississippi Office of the State Auditor, IRS Publication 1075, and NIST 800-53 Revision 4. Information systems users should be aware that there is no expectation of personal privacy while using MDHS information systems, and resources, and that data can be viewed, audited, provided to law enforcement, or removed at any time by the organization. MDHS Security policies address the purpose, scope, roles, responsibilities, coordination among organizational entities, and compliance to implement appropriate security controls. The technical security controls outlined in these policies apply to all MDHS information, no matter the amount or the media in which it is recorded. MDHS information must be afforded the same levels of protection for both paper and electronic forms of information.

Use of Manual Guidance Each IT Security Policy consist of six sections as outlined below.

• Revision Date • Purpose • Reference • Scope • Responsible Party • Policy Statement

IT Security Standards are provided to outline how the IT Security Policies will be implemented.


Security Policy 100 - MDHS Information Technology (IT) Security Policy

Effective Date Revision # Description 12/01/2014 1.0 Initial Policy 1/24/2018 2.0 Update with SSA Information

Purpose Information is a vital agency asset and requires protection from unauthorized access, modification, disclosure or destruction. This policy sets the requirements for information security practices that will govern the daily usage of MDHS information systems. Objectives of this policy are to ensure that MDHS information is protected, and that information technology remains in compliance with state and federal statutes and regulations. Specifically, MDHS seeks to be in compliance with ITS directives and IRS Publication 1075 as referenced below. Information systems users should be aware that there is no expectation of personal privacy while using MDHS information systems and resources and that data can be viewed, audited, provided to law enforcement, or removed at any time by the organization. Violation of this policy may result in a denial of access to MDHS information, criminal prosecution and disciplinary actions may be considered up to and including termination of employment of the relationship with MDHS per the MDHS MIS Confidential Information Agreement. Reference

• Mississippi Department of Information Technology Services, Information Security Division, State of Mississippi Enterprise Security Policy (ITS ESP)

• IRS Publication 1075 Tax Information Security Guidelines For Federal, State and Local Agencies (OMB No. 1545-0962)

• National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems, Revision 4.

• National Institute of Standards & Technology (NIST) Special Publication (SP) 800-30 Risk Management Guide for Information Technology Systems

Scope MDHS protects taxpayer’s rights to privacy and confidentiality by creating and putting into practice policies and standards that allow access to Federal Taxpayer Information (FTI) only for legitimate reasons. MDHS Employees must secure this information in a way that protects the privacy of taxpayers at all times, regardless of how the information is stored or processed. This policy applies to all MDHS locations and includes, but is not limited to employees (full-time, part-time, and temporary), vendors, consultants, contract workers, interns, visitors, and employee family members.


This includes the security of primary and off-site MDHS facilities, data storage, and operations activities; computing, telecommunications, and applications-related services obtained from other government entities or commercial concerns; and Internet-related applications and connectivity. This policy applies to all equipment that is owned, leased, or maintained by the MDHS organization, including equipment that is located in an individual's home, and covers equipment used in facilities that are owned and leased by the organization. This policy applies to all types of information generated, used, or held by MDHS that is used within the scope of the organization's business processes in all formats, including electronic, magnetic, paper, or other. Information systems and other computing devices include all components connected or related to the MDHS computer network and telecommunications environment, including, but not limited to, Internet, intranet, MS State Network, remote access, e-mail, workstations, any electric and/or battery operated device that can be easily transported and that has the capability for storing, processing, and/or transmitting data including Laptops, Tablet/Mini PCs, Blackberries, Smartphones, and Hand-Held PCs, removable media, telephones, and other related computing equipment. Responsibility for information security on a day-to-day basis is every employee's duty. Specific responsibility for information security is NOT solely vested with the MDHS MIS Security Group function. Responsible Party MDHS MIS Security Group, Directors, Managers, Supervisors Policy Statement MDHS’s MIS Security Group will operate in a manner consistent with the ITS Enterprise Security Policy (ITS ESP) and IRS Publication 1075 guidelines. Further MDHS will recognize some NIST standards and operate within the scope of those standards to the extent that they are referenced from within IRS Publication 1075. MDHS will review its MIS security processes, procedures, and practices at least annually and make appropriate updates after any significant change to its business, computing, or telecommunications environment. The agency will annually deliver this Information Security Policy’s to ITS along with a security verification letter. In order to ensure secure transport, authentication and authorization, access controls will be established for all information systems and facilities and will include a means to identify and authenticate users. Access controls for each system will be commensurate with the sensitivity of the information processed by or stored on the system. Users must not share assigned account privileges (e.g. passwords, tokens or identification badges). Access to MDHS systems may be modified or revoked at any time by the agency. MDHS will employ the need-to-know principle when granting access to information systems or data. This principle dictates that information only be provided to users that require the information to carry out their assigned duties. User must not attempt to gain excessive privileges in an unauthorized manner beyond which they are assigned. It is prohibited to use MDHS systems for activities that are considered illegal, obscene, defamatory, or which are intended to harass or intimidate another person. The agency's information systems will not be used to damage or impair the operations of other systems of any type, regardless of whether at a MDHS facility, or some other entity. MDHS users must not use information systems to support a personal business or some other activity for personal gain. Activities that may degrade internal systems operations, or affect work productivity, are also


prohibited. Examples of such activities, include: accessing, or downloading games, installing personal software, sending chain letters, installing peer-peer file sharing tools (e.g., MP3 sharing tools), file transfer within Internet chat, listening to radio stations or on-line music, emails related to gambling or betting pools. Unauthorized duplication of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which MDHS or the end user does not have an active license, is strictly prohibited. At any alternative work sites, which may include employee home offices, and remote field offices, precautions must be taken to protect MDHS information, hardware, and software from theft, damage, and misuse. Information must be protected in a manner commensurate with its sensitivity, value, and criticality. When accessing the organization's network from a remote site, or when using mobile devices (such as a tablet or laptop), the user assumes responsibility for the security of the information that is stored and processed by the device. MDHS equipment that is located at a remote site or home office must be returned to the organization at the termination of the relationship with MDHS. Personal computing equipment may be used to connect to the MDHS network only for the conduct of business and operations from a remote site, such as a home office. Personal computers must, at a minimum, have the most current and up-to-date anti-virus and personal firewall software installed. Computing devices that have been used to store and process federal taxpayer information (FTI) and SSA-provided information must be sanitized when no longer in use, or when the user’s employment with MDHS ends. Upon termination of employment, all FTI will be returned to MDHS and no copies will be retained. All materials containing FTI remain the property of MDHS. Media storage that is no longer required for use and that has been used to store sensitive information, FTI, or SSA-provided information must be destroyed using approved destruction methods as outlined in Security Policy 112 – MIS Media Access Protection, which describes proper handling of removable media throughout the media lifecycle. FTI, nor SSA-provided information, must never be hand torn, recycled or buried in a landfill. MDHS will maintain a risk management program as identified in Security Policy 101 – MIS Risk Management. New employees will be trained on the security policy upon hire and will be expected to sign the Confidentiality Acknowledgement Form indicating that they have read and understand the security policy. Employees will be required to annually review the security policy. Employees with specific security responsibilities will be trained accordingly, as identified in the Scope and Responsible Party sections of applicable policies. Proper use of MDHS email, Internet, State Network and social media is addressed in Security Policy 102 – MIS Acceptable Use. MDHS will establish policies to protect the confidentiality, integrity and availability of data through proper classification of data as Public, Limited Access or Sensitive per Security Policy 103 - MIS Data Classification.


The agency will, establish server security with proper configuration and physical security as outlined in Security Policy 104 - MIS Server Security. The Security Policy 105 - MIS Email Security policy will help employees use email properly, seeking to prevent improper communications, reduce the risk of malicious file attachments, outline the use of email for official use only, and force encryption anytime sensitive data is included in email. Virus prevention will be achieved by adhering to the Security Policy 106 – MIS Virus Prevention policy for proper maintenance and use of virus scanning software. The perimeter of the MDHS network will be secured by the Security Policy 107 - MIS Firewall Security policy that secures the LAN from outside threats with a rule set that is as restrictive as possible, managed using secure protocols, with events being logged by the firewall. All sensitive data must be encrypted using industry standard algorithms as outlined in Security Policy 108 - MIS Data Encryption. Anyone requiring remote access from either public Internet or private circuits must utilize a virtual private network (VPN) as described in Security Policy 114 - MIS Access Control. As a part of MDHS’s security posture, strong passwords are a key element and will be established via the Security Policy 109 - MIS Password Security policy which will address password automation, stored passwords and timeouts, among other considerations. Security Policy 113 - MIS Wireless Access will be used to address security and data integrity measures required for implementing and securing wireless local area networks. MDHS will follow the directives in Security Policy 110 - MIS Mobile Device Security in order to properly ensure the security of data residing on laptops and mobile devices. New applications must be secure and meet all privacy requirements. In order to ensure this, MDHS will perform application security and application vulnerability assessments as outlined in Security Policy 111 - MIS Application Security. Should MDHS experience a data breach, proper notification to the Mississippi Department of Information Technology Services and the Internal Revenue Service will be made per the Security Policy 118 – Incident Response policy. Finally, all data center facilities must be physically protected in proportion to the criticality of the business functions and associated systems, assets, and infrastructure, giving proper consideration for the importance of keeping data secure by adhering to Security Policy 123 - MIS Physical Security. MDHS will ensure that access to the State Network, provided by the Mississippi Department of Information Technology Services is subject to the same, or greater, security measures as the MDHS network. Security Policy 100 above references many, but not all, MDHS security policies. However, all MDHS Security Policies and Standards must be adhered to.


Security Policy 101 - MDHS IT Risk Assessment, Vulnerability Scanning and Review of Network Logs

Effective Date Revision # Description 12/01/2014 1.0 Initial Policy 8/22/2016 2.0 Information Added Regarding Vulnerability Scanning 6/20/2017 3.0 Information Added Regarding Review of Network Logs

Purpose This policy establishes the requirements that must be met in order to reduce the risk of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency regarding the use of sensitive information. Reference IRS Publication 1075 Section 9.3.14, ITS ESP Scope MDHS Employees and Contractors. Responsible Party MDHS IT Administration. Policy Statement Risk Assessment MDHS shall conduct risk assessments which will:

• Identify the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits.

• Document the risk assessment results • Reviews risk assessment results • Update the risk assessment annually, or whenever there are significant changes to the

information system or environment of operation or other conditions that may impact the security state of the system.

Vulnerability Scanning The Agency shall scan systems containing sensitive data to identify any vulnerabilities, utilizing the most current definitions for the scanning tool.

• Scan for vulnerabilities in the information system and hosted applications at a minimum of monthly for all systems and when new vulnerabilities potentially affecting the system/applications are identified and reported.

• Employ vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for the following.

o Enumerating platforms, software flaws and improper configurations o Formatting checklists and test procedures o Measuring vulnerability impact


• Analyze vulnerability scan reports and results from security control assessments. • Remediate legitimate vulnerabilities in accordance with an assessment risk. • Share information obtained from the vulnerability scanning process and security control

assessments with designated agency officials to help eliminate similar vulnerabilities in other information systems (i.e., systematic weaknesses or deficiencies).

• Employ vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

Review of System Logs The Network System administrator must ensure that network and host-based logs are reviewed on a weekly basis or more frequently at the discretion of the information system owner for indications of unusual activity related to potential unauthorized access. (IRS SCSEM Network Assessment Test ID #Net-09). The Network administrator must document how anomalies are identified and handled. The Network administrator must document the Agency's process for monitoring increases in network activity. The Network system administrators must regularly review all network and host-based logs on a weekly basis, review anomalies, and document findings in accordance with the Agency's incident reporting procedures. The Agency's log review process must include regular reviews of network activity for abnormal increases in network traffic from the agency's normal traffic threshold. The Agency’s log review process must document and report abnormal increases in network traffic activity in accordance with the agency's incident reporting procedures


Security Policy 102 - MDHS IT Acceptable Use Policy Effective Date Revision

# Description

12/01/2014 1.0 Initial Policy

Purpose This policy governs the use of all computers, computer-based communications networks, and all related equipment administered by MDHS. Reference ITS ESP Rule 2.3 Scope MDHS Employees. Responsible Party MIS Administration and Employees Policy Statement Software, including but not limited to, internet downloads, utilities, add-ins, programs (including shareware, freeware, and internet access software), patches, upgrades, or clip-art – shall not be installed on any desktop, notebook personal computer , or server by anyone other than a representative of the MDHS MIS Department. Software owned or licensed by MDHS may not be copied to alternate media, distributed by e-mail, transmitted electronically, or used in its original form on other than MDHS PCs without written permission from the MDHS MIS administration. In no case is the license agreement or copyright to be violated. All PCs, workstations, printers, add-in cards, memory modules, and other associated equipment are the property of MDHS and should not be used for purposes other than organization related business. No changes, modification, additions, or equipment removals may be done without prior notification to the MDHS MIS Administrators. Except notebook PCs and other mobile devices used in daily offsite work, no information systems equipment should be removed from MDHS premises without the permission of the employee’s supervisor and/or IT administration. Internet access and acceptable use is defined in AP-32 - Internet Usage Policy. Social media acceptable use is covered in AP-53 Social Medial Policy. E-mail acceptable use is defined in AP-31 E-Mail Usage Policy. Employees are expected to report violations of this policy which he/she observes to the MIS Security Group and to cooperate in any investigation of the violation.


Security Policy 103 - MDHS IT Data Classification Effective Date Revision

# Description


Purpose This policy will set the expectations for managing data from its creation, through authorized use, to proper disposal. Reference ITS ESP Part 1 Chapter 4. Scope MDHS Employees and Contractors. Responsible Party IT Administrators and Employees. Policy Statement All MDHS data shall be assigned one of the following classifications:

• Public: The “public” classification includes information that must be released under Mississippi open records law or instances where an agency unconditionally waives an exception to the open records law.

• Limited Access: The “limited-access” classification applies to information that an agency may release if it chooses to waive an exception to the open records law and places conditions or limitations on such a release.

• Sensitive: The “sensitive” classification applies to information, the release of which is prohibited by state or federal law. This classification also applies to records that an agency has discretion to release under open records law exceptions but has chosen to treat as highly confidential.

MDHS shall utilize Security Standard 204 - MIS Data Classification Assignment to properly classify all data. MDHS shall determine if there are state or federal legal requirements for classifying the data and shall assign the classification(s) as required by law. (i.e. FTI, HIPAA, PCI, etc.) MDHS shall classify data on an ongoing basis and regularly review the appropriateness of the assigned data classifications and adjust classifications in the event of regulatory changes affecting an agency’s management of information under its control. When data is commingled from different sources, it must be classified with at least the most secure classification level of any individually classified data in the set (e.g. when classifying systems or databases containing multiple levels of classified data).


All reproductions of data in its entirety must carry the same data classification as the original. If an agency is unable to determine the data classification of data, the data should be assumed to have high classification requirements. All personally identifiable information (PII) must be classified as “sensitive”.


Security Policy 104 – MDHS IT Server Security

Effective Date Revision #

Description


Purpose This policy sets the requirements for securing MDHS servers. Reference IRS Publication 1075 Section 9.16; ITS ESP Part 1, Chapter 5 Scope MDHS Employees and Contractors Responsible Party IT administrators Definitions N/A Policy Statement MDHS shall “harden” their servers by:

• Regularly installing all service packs, patches, and updates after appropriate integration testing.

• Disabling all unnecessary services, devices, and accounts. • Enabling appropriate logging and routine log activity review per Security Standard 206 –

MIS Log Review. • Establishing adequate access and control mechanisms. • Ensuring user authentication and data protection. • Performing scans for vulnerabilities and configuration weaknesses. • Setting security parameters and file protections. • Enabling firewall software on the server. • Maintaining virus scanning software on all servers with current updates.

MDHS servers shall be subject to physical security requirements outlined in Security Policy -123 Physical Security. Internet-facing servers that reside on the State Network must use HTTP or HTTPS through enterprise reverse proxy devices in the ITS DMZ to facilitate inbound connections from the internet or any third party network. Application and database servers shall be configured behind firewalls. Only authenticated applications and users shall be allowed access to these servers.


Security Policy 105 – MDHS IT Email Security


Description

12/01/2014 1.0 Initial Policy Purpose This policy is intended to set the standard for email security when using the MDHS email system within the State network. Reference IRS Publication 1075, Section 9.18.5; ITS ESP Part 1, Chapter 6 Scope All MDHS Employees, Vendors, Agents and Contractors operating on behalf of the Agency. Responsible Party MIS Personnel, MIS Managers Policy Statement MDHS will not use external email to transmit FTI or Social Security provided data. MDHS will require all email users to read and sign AP-31 E-Mail Usage Policy. MDHS will utilize the ITS maintained mail relays and will not support SMTP directly to/from the internet. MDHS will only use secure web interfaces (HTTPS) to access email (i.e. no POP or IMAP to internal mail servers). MDHS will only allow private email account access via a web interface (HTTP/HTTPS). No POP/IMAP will be allowed through the state network. If transmittal of Sensitive Information within the agency’s internal e-mail system is necessary, the following precautions must be taken:

• Encrypt the email and any attachments. • Verify that the recipients are the intended parties.


Security Policy 106 – MDHS IT Virus Prevention

Effective Date Revision # Description

12/01/2014 1.0 Initial Policy Purpose This policy sets the required implementation of the Agency virus prevention program. Reference IRS Publication 1075 4.7.2, 9.17, Exhibit 11; ITS ESP Part 1, Chapter 7 Scope All MDHS Employees and contractors Responsible Party MIS Security Team Policy Statement MDHS shall have a virus prevention program that includes:

• Maintaining virus scanning software on all servers and workstations. • Keeping virus signature files and scanning engines updated with workstations being

updated at least weekly, and servers being updated at least daily. • Scanning all file attachments sent or received via e-mail using current anti-virus

software. • Scanning all removable media upon connection/ insertion using current anti-virus

software. • Immediately removing any infected workstation or server from the network until the virus

has been cleaned. • Maintaining copies of virus-detection tools offline. • Keeping all servers and workstations current with operating system and software

security patches. • Disabling AutoPlay (Auto-Run) on all workstations and laptops. • Reporting all virus activity that is not automatically cleaned by the virus protection

software to the MDHS Security Team and the ITS Information Security Division (ISD) as a security incident.


Security Policy 107 – MDHS IT Firewall Security


Description

12/01/2014 1.0 Initial Policy Purpose This policy will ensure that adequate security measures are employed to restrict access to sensitive information from outside the organization. Reference IRS Publication 1075, Section 9.18.4; ITS ESP Part 1, Chapter 8; NIST 800-41r1 Scope All MDHS Employees and contractors Responsible Party MIS Network Team Policy Statement ITS will maintain a perimeter firewall between the State Network and the Internet that provides address translations to public space for MDHS. The following ITS policies must be observed regarding Internet access through the ITS firewall:

• Inbound connections from the Internet are restricted to only ports TCP 80 and TCP 443, for only HTTP and HTTPS protocols. No other inbound-initiated ports are allowed to servers residing on the State Network unless entering the state network over a VPN.

ITS will maintain a DMZ for applications that meet the following criteria:

• Require inbound connections that are not HTTP or HTTPS • Declared business-critical by both the agency and ITS • Deemed as unsuitable for a VPN by ITS

All applications utilizing the ITS DMZ must reside in the State Data Center. MDHS will implement a firewall at the perimeter of the MDHS network (between MDHS LAN and ITS firewall) to secure the LAN from any traffic originating within the State Network. MDHS will maintain a rule set for the firewall that is as restrictive as possible (“deny by default”), permitting the minimum services required for proper operation of inter-agency communication. All services not required for proper operation should be denied by the rule set. Some examples of allowed and denied traffic are:

• Examples of commonly used IP protocols, with their IP protocol numbers, 17 are ICMP (1), TCP (6), and UDP (17).

• Other IP protocols, such as IPsec components Encapsulating Security Payload (ESP) (50) and Authentication Header (AH) (51) and routing protocols may also need to pass through firewalls.

• These necessary protocols should be restricted whenever possible to the specific hosts and networks within the organization with a need to use them.

• By permitting only necessary protocols, all unnecessary IP protocols are denied by default.


• Traffic with invalid source or destination addresses should always be blocked, regardless of the firewall location.

• Traffic with an invalid source address for incoming traffic or destination address for outgoing traffic (an invalid “external” address) should be blocked at the network perimeter.

• Traffic with a private destination address for incoming traffic or source address for outgoing traffic (an “internal” address) should be blocked at the network perimeter.

• Traffic containing IP source routing information shall be blocked. • Traffic from outside the network containing broadcast addresses that are directed to inside

the network shall be blocked.

MDHS firewalls will only be managed using secure protocols such as SSH or HTTPS. MDHS Firewalls shall log all ingress and egress transmissions traversing the perimeter of the network and maintain the log records for at least 30 days.


Security Policy 108 – MDHS IT Data Encryption, Physical Security of Computers and Electronic and Removable Media


Description

12/01/2014 1.0 Initial Policy 6/20/2017 2.0 IRS FTI Guidelines for Physical Security of Computers

and Electronic and Removable Media Purpose This policy will set the guidelines for data encryption within the MDHS network. Reference IRS Publication 1075 sections 4.5, 4.7.1, 4.7.2, 7.4.8, 9.18.2, Exhibit 10; ITS ESP Part 1, Chapter 9. Scope All MDHS Employees and Contractors. Responsible Party IT Administrators Policy Statement MDHS shall encrypt all sensitive information using industry standard algorithms Triple DES, AES, or SSL/TLS when traveling to/from un-trusted networks and/or entities. MDHS Internet-facing servers, located in the State Data Center, that gather or transmit sensitive information, must use, at minimum, SSL for the transaction. MDHS must acquire the Certificate Authority signed certificate for this server from ITS. MDHS shall encrypt sensitive information stored on Agency systems. MDHS will ensure that any sensitive data on systems located offsite is properly encrypted. Federal Tax Information (FTI) shall be encrypted when moving across the Wide Area Network (WAN). Computers and electronic media that receive, process, store, or transmit FTI must be in a secure area with restricted access. In situations when requirements of a secure area with restricted access cannot be maintained, such as home work sites, remote terminals or other office work sites, the equipment must receive the highest level of protection practical, including full disk encryption. All computers and mobile devices that contain FTI and reside at an alternate work site must employ encryption mechanisms to ensure that FTI may not be accessed if the computer is lost or stolen. Basic security requirements must be met, such as keeping FTI locked up when not in use. When removable media contains FTI, it must be labeled as FTI.


All computers, electronic media, and removable media containing FTI, must be kept in a secured area under the immediate protection and control of an authorized employee or locked up. When not in use, the media must be promptly returned to a proper storage area/container. Inventory records of electronic media must be maintained and reviewed semi-annually for control and accountability. MDHS, per the Enterprise Security Policy, prohibits FTI from being stored on removable media. If an exception is approved for the temporary storage of FTI on removal media, the data must be encrypted.


Security Policy 109 – MDHS IT Password Security


Description

12/01/2014 1.1 Initial Policy 10/26/2017 2.0 Service Level Account Password Change Interval

Purpose This policy will set the requirements for passwords that authenticate users to access the MDHS domain and email systems. Reference IRS Publication 1075 Section 9.8, Exhibit 8; ITS ESP Part 1, Chapter14 Scope All MDHS Employees and contractors. Responsible Party IT Administrators Policy Statement Passwords shall adhere to the following requirements:

1. Passwords are required all user accounts.

2. Passwords shall be a minimum length of 8 characters in a combination of lower case letters, upper case letters, and numbers. A minimum of one capital letter and a minimum of one number is required.

3. Active Directory passwords shall be changed every 60 days, at a minimum, for all user accounts to reduce the risk of compromise through guessing, password cracking or other attack & penetration methods.

4. RACF application passwords shall be changed every 30 days, at a minimum, for all user accounts to reduce the risk of compromise through guessing, password cracking or other attack and penetration methods.

5. Password changes for standard and privileged users shall be systematically enforced where possible.

6. Passwords will be disabled manually or systematically after 90 days of inactivity to reduce the risk of compromise through guessing, password cracking or other attack and penetration methods.

7. Users shall be prohibited from using their last six passwords to deter reuse of the same password.


8. Users shall be prohibited from changing their passwords for at least 15 days after a recent change. Meaning, the minimum password age limit shall be 15 days after a recent password change.

9. The information system shall routinely prompt users to change their passwords within 5-14 days before such password expires.

10. User account lockout feature shall disable the user account after 3 unsuccessful login attempts.

11. Account lockout duration shall be permanent until an authorized system administrator reinstates the user account.

12. Default vendor passwords shall be changed upon successful installation of the information system product.

13. System initialization (boot) settings shall be password-protected.

14. Clear-text representation of passwords shall be suppressed (blotted out) when entered at the login screen.

15. Passwords shall not be automated through function keys, scripts or other methods where passwords may be stored on the system.

16. Null passwords shall be prohibited to reduce the risk of compromise through rogue enticement techniques or other attack and penetration methods.

17. Use of dictionary words (English of foreign-language), popular phrases, or obvious combinations of letters and numbers in passwords shall be prohibited when possible. Obvious combinations of letters and numbers include first names, last names, initials, pet names, user accounts spelled backwards, user ID, repeating characters, consecutive numbers, consecutive letters, user’s name, spouse’s name, kid’s name, employee number, social security number, birth date, telephone number, city and other predictable combinations and permutations.

18. Passwords must not contain proper names, including the name of any fictional character or place.

19. Passwords must not contain any simple pattern of letters or numbers such a “qwertyxx”, “12345678”, or “xyz123xx.”

20. Users shall commit passwords to memory, avoid writing passwords down and never disclose passwords to others (e.g., with a co-worker in order to share files).

21. Passwords must not be stored in clear text on hard drives or other electronic media.

22. Passwords suspected to be stolen or cracked must be changed immediately and notification must be given to the user’s supervisor and system administrator.

23. Service Account Passwords, such as those used to administer Websites, must be changed at least annually.


Security Policy 110 – MDHS IT Mobile Device Security


Description


Purpose The purpose of this document is to define the policy for mobile devices that store sensitive information and/or access the MDHS internal network. Reference IRS Publication 1075 Section 9.2, Exhibit 4, AC-19; ITS ESP Part 1, Chapter 14. Scope MDHS Employees and contractors. Responsible Party IT Administrators Policy Statement Personal mobile devices must not be used to access sensitive information, MDHS email, the MDHS network or the State network. Any use of mobile devices for access to agency systems or storage of agency data must appropriately secure those devices to prevent sensitive data from being lost or compromised, to reduce the risk of spreading. MDHS employees must never leave portable devices unattended in public settings and must take precautions to avoid the risk of unauthorized persons viewing information on-screen. Access Control

• Users must not download, run, and/or install software and applications or enabling unauthorized protocols or services without the approval and assistance of the MIS Department.

• Wi-Fi, 3G, or Bluetooth connection to mobile devices must be configured in a secure manner and turned off when not in use.

• Secondary sequence must be disabled. • The Administrator account must be renamed to a non-descript name. • The last user name must not display in the login dialog box. • Users must only enable on active network interface when connected to the State network.

(e.g. If Wi-Fi is enabled, then other access methods are disabled) • Mobile devices must adhere to Security Policy 109 – MIS Password Security.

Authentication must not be disabled on mobile devices.


Mobile devices should be configured to timeout after 30 minutes of inactivity and require re-authentication. MDHS users must log out or turn mobile devices off when left unattended. Mobile devices are subject to Security Policy 108 – MIS Data Encryption. Mobile devices that contain FTI must be managed by a Mobile Device Management (MDM) system that allows the agency to authorize, monitor and control devices access to MDHS systems.


Security Policy 111 - MDHS IT Application Security


Description


Purpose This document sets the policy for assessing new applications to ensure that state and federal application security and privacy requirements are met. Reference IRS Publication 1075 Section 9.17, Exhibit 4, Exhibit 9, Exhibit 11; ITS ESP Part 1 Chapter 16. § 435.53. Retention and access requirements for records Scope MDHS Employees and Contractors Responsible Party MIS Administrators, MIS Programmers, MIS Database Administrators Policy Statement MDHS ITS must test new application code for common errors that can compromise the integrity of the production environment when the application is deployed. In order to ensure proper code security, MDHS will:

• Must assess: Un-validated input Broken access control Broken authentication and session management Injection flaws Improper error handling Insecure configuration management Insecure storage Cross-site scripting (XSS) Insecure direct object references Cross-Site request forgery Insufficient transport layer protection Un-validated redirects and forwards

• Will consider the following application security assessment methods: Contract with a third-party for assessment services. Perform internal application security assessments Utilize application security assessment software.


MDHS Must document their application security assessment (for both new and updated applications) process/results prior to deploying new applications and submit all application assessment documentation to ITS as part of the submission package satisfying the mandatory third-party security risk assessment. The application audit trail must capture all events identified in Exhibit 9 of IRS Publication 1075, summarized here:

• Login/logoff attempts • Privileged user/function actions, connections and requests • Rights and permission changes • Audit and security policy/services changes • User/administrator account creation, modification, deletion • Capture the date/time/type and user or process responsible for the event • Startup/shutdown • Command line changes, batch file changes and system queries • Audit trail protected from unauthorized access, modification or deletion • Audit trail restricted to only personnel responsible for security audit functions • Audit record storage capacity will retain audit records for specified minimum standards for

the adequate for the information classification o FTI data retention 7 years o SSA data retention of 3 years

Within the application, auditing must be enabled to the extent necessary to capture access, modification, deletion and movement of FTI by each unique user. This auditing requirement also applies to data tables or databases embedded in or residing outside of the application. Web-enabled application software shall:

• Prohibit generic meta-characters from being present in input data • Have all database queries constructed with parameterized stored procedures to prevent

SQL injection • Protect any variable used in scripts to prevent direct OS commands attacks • Have all comments removed for any code passed to the browser • Not allow users to see any debugging information on the client • Be checked before production deployment to ensure all sample, test and unused files

have been removed from the production system


Security Policy 112 – MDHS IT Media Access Protection


Description

12/01/2014 1.0 Initial Policy 8/17/2016 2.0 Update Reference and Policy Statement

Purpose This policy will set the requirements to restrict access to MIS media to authorized individuals, where the media contains sensitive information. Reference IRS Publication 1075, Section 9.3.10 Scope All MDHS employees and contractors. Responsible Party IT Administrators, IT Managers, Agency Managers, Agency Supervisors Policy Statement MDHS restricts electronic and physical access to media containing sensitive information to only those persons with a need to know by utilizing the principle of least privilege per Security Policy 114 - MIS Access Control and AP-43 Access Control ID Card Policy. MDHS and ITS will mark all removable media containing sensitive information for identification and tracking. Access to media containing FTI shall be controlled by standard Security Procedure 112-1 – MIS FTI Data Handling. Media containing sensitive information will be destroyed per the standard Security Procedure 112-2 – Destruction Methods for Sensitive Information, when they are no longer in use.


Security Policy 113 – MDHS IT Wireless Access


Description


Purpose The purpose of this document is to set the policy for a secure wireless network within MDHS. Reference IRS Publication 1075 Section 9.2, Exhibit 4, AC-18; ITS ESP Part 1, Chapter 13. Scope MDHS Employees and Contractors. Responsible Party IT Administrators Policy Statement Wireless Access Points (WAP) must be strategically located to minimize the interception of wireless signals by unauthorized individuals and the range must be tested to ensure that signals are not being transmitted outside the intended coverage area. WAP installations must use WPA Version 2 with AES at a minimum. WEP and WPA version 1 must not be used. For PSK mode WPA version 2 deployments:

• The “key” or “pass-phase” should be known and kept securely by as few personnel as possible.

• The “key” or “pass-phase” should be changed at least every three months at a minimum. • WPA-PSK passwords must be at minimum, 16 characters with a combination of lower

case letters, upper case letters, numbers, and symbols.

For Enterprise mode WPA version 2 deployments implement either:

• Radius server with rolling PSK, or • Manual change off PSK with network access control deployed.

All configurable WAP configuration (i.e. Service Set Identifier (SSID), keys, passwords, channels, etc.) must be changed from the default. WAPs must NOT be connected to a hub. WAPs must be physically kept from theft or access to the data port. SSID must not openly broadcast. MDHS shall monitor access to the wireless by regularly scanning to detect unauthorized clients.


Security Policy 114 - MDHS IT Systems Access Control Effective Date Revision

# Description

12/01/2014 1.0 Initial Policy 4/30/2015 2.0 Disabling User Accounts via Self-Audits 8/03/2015 3.0 Systems Form Numbers Included for Terminations

01/05/2018 4.0 Self-Audit Interval Updated 1/24/2018 5.0 Update with SSA Information

Purpose This policy will help manage the risk of security exposure or compromise by setting the requirements for allowing access to MIS resources and sensitive information. Reference IRS Publication 1075 Sections 5.0, 9.2, 9.8, 9.18.1, 9.18.3, Exhibit 11; ITS ESP Rule 1.3.A, Part 1 Chapter 10, Part 1 Chapter 11, Part 1 Chapter 12 Scope All MDHS employees and contractors. Responsible Party IT Administrators, IT Managers Policy Statement Access to all MDHS systems and sensitive information is based on least privilege and need to know principles whereby employees are given access to only the resources required to perform their job duties. Sensitive information is never indiscriminately disseminated within the MDHS. MDHS shall not allow contractors to access FTI data per Security Form 002 - MIS FTI Contractor Acknowledgement Form Access to FTI on systems at the ITS State Data Center will be controlled by Security Standard 201 – ITS State Data Center FTI Access MDHS shall not access FTI via State tax files or through other agencies. MDHS must verify the identity of all employees and contractors that have access to SSA-provided information. All new Employees and Contractors must have a completed USCIS Form I-9 on file to document verification of the identity and employment authorization. All new requests for access to FTI and SSA-provided information via MDHS proprietary systems, must complete an MDHS-MIS-60 MDHS Confidential Information Agreement Form.


Need to know access to MDHS proprietary systems is given by:

• EPPIC – MDHS MIS EPPIC User Access Request Form • FITS – MDHS MIS FITS User Access Request Form • JAWS – MDHS JAWS User Access Request Form • MAVERICS – MDHS MAVERICS User Access Request Form • METSS – MDHS METSS User Access Request Form

Remote access into the MDHS network will be established only if required to perform special job functions and only under the following criteria:

• Connection must be made via an encrypted VPN using IPSec or SSL. • Allowed IP addresses and TCP/UDP ports must only include what is necessary for the

applications used by the remote user. • MDHS shall not allow dial-up access. • MDHS will utilize two factor authentication whenever FTI is being accessed remotely. • FTI shall only be accessed from MDHS owned computers.

Third party entities may not connect directly to the MDHS LAN other than support applications that require real-time interaction by the agency end user. All access to the MDHS network will be terminated immediately upon the retirement, resignation, dismissal, end of contract, or any and all other actions that signal that the requirements for having a connection are no longer being met. In such cases, MDHS will use Access Control forms listed below to ensure that all physical and electronic access means are collected or terminated.

• EPPIC – MDHS-MIS-32 • FITS – MDHS-MIS-42 • JAWS – MDHS-MIS-03 • MAVERICS – MDHS-MIS-10.1-MAVS • METSS – MDHS-MIS-02 • MDHS Termination Form Property Checklist – MDHS-PER-263

Annual Self-Audits – Disabling Inactive User Accounts The designated System Administrator will conduct Self-Audits of all User Accounts on an annual basis. User Accounts that have been inactive for 90 days or more will be disabled or deleted.


Security Policy 115 - MDHS IT Internal Audit Effective Date Revision

# Description


Purpose This document sets the policy for the internal inspections that will ensure adequate safeguards and security. Reference IRS Publication 1075 Sections 6.3, 9.3, Exhibit 9; ITS ESP Rule 1.4.G. Scope All MDHS Employees and contractors Responsible Party MDHS Security Team Policy Statement MDHS must annually verify that employees understand security policies and standards that apply to their job description. At a minimum, all employees who handle sensitive information must review SP100 - MIS Information Security Policy annually and sign Security Form 001 - MIS Security Policy Acknowledgement. MDHS internal inspections of all facilities receiving FTI will occur:

• At headquarters, and ITS, every 18 months. • At local offices, every 36 months.

MDHS shall develop, and annually update, an internal inspection plan, for all facilities receiving FTI, detailing the timing of internal inspections in the current year and the next two years. The plan must be included as part of the annual SAR. The internal inspection shall include:

• A review of the log of all requests for FTI data, including receipt, return and disposal records, whether received directly or indirectly.

• Secure storage of FTI • Physical and systemic barriers to unauthorized access, including facility security features. • Proper disposal of FTI • Computer systems security, including the electronic and physical enforcement of the

need-to-know principal. • The implementation of a Plan of Action & Milestones (POAM) corrective action plan based

on internal inspection findings. • A review to ensure that no one connects unauthorized devices to network equipment

located within the operational environment.


MDHS must ensure that audit information is archived for six (6) years to enable the recreation of computer related accesses to both the operating system and to the application wherever FTI is stored. MDHS systems shall generate audit records for all security-relevant events, including all security and system administrator accesses. MDHS systems shall generate audit records for all verified Social Security Administration (SSA) Data displayed on Screens. MDHS shall routinely review audit records for indications of unusual activities, suspicious activities or suspected violations, and report findings to appropriate officials for prompt resolution. To enable review of audit records, MDHS must implement a system that provides an audit reduction and report generation capability.


Security Policy 116 – MDHS IT Security, Disclosure & Incident Response Awareness Training Effective Date Revision

# Description

12/01/2014 1.0 Initial Policy 8/25/2016 2.0 Updated per IRS SSR and July 2016 IRS Pub 1075

Purpose This policy establishes the requirements for proper Security Awareness Training and Incident Response procedures for the MDHS Agency. The Security Awareness Training will be based on the MDHS Full Disclosure Awareness Program to address IRS Federal Tax Information (FTI), Social Security Administration (SSA) provided data, Office of Child Support Enforcement (OCSE) National Directory of New Hires (NDNH) data and all Personally Identifiable Information (PII). Reference IRS Publication 1075 Sections 9.3.2 and 10, IRS IRC Sections 7431, 7213, 7213A. Scope All MDHS Employees, Contractors and Subcontractors. Responsible Party MDHS Administration, MDHS MIS Security Team Policy Statement MDHS shall:

• At hire and annually train all Employees and all Contractors on the following topics.

All MDHS Employees and Contractors must sign the “MDHS Confidential Information Agreement” which is inclusive of Non-Disclosure and Incident Response guidelines for IRS, SSA, OCSE and PII data.

Per the guidelines in the “MDHS Confidential Agreement” all Employees and

Contractors with access to Federal Tax Information must be made aware of the provisions of the IRS IRC Sections 7431, 7213 and 7213A.


Contractors must be made aware of the provisions of the SSA Data Handling and OCSE Data Handling guidelines set forth in the “MDHS Confidential Agreement”.


Contractors must be aware and support the directives for Incident Response as stated in the “MDHS Confidential Agreement” and as outlined in Security Policy 118 “MDHS IT Incident Response”.


Identify personnel with significant information system security roles and responsibilities, and provide sufficient security training before authorizing access to the information system and sensitive information. Train employees based on their job function and access to certain data classification levels. All employees that are authorized permission to access sensitive data shall receive specific security awareness training based on their role and function in the organization.


Security Policy 117 – MDHS IT Configuration Management


Description


Purpose This policy establishes configuration management controls for MDHS systems. Reference IRS Publication 1075 Section 9.6; ITS ESP Part 1, Chapter 5; SP104 – MIS Server Security Scope MIS Department Responsible Party MIS System Administrators Policy Statement MDHS shall establish baseline configurations for:

1. General purpose operating systems 2. Common desktop applications 3. Infrastructure devices such as:

Routers Firewalls VPN gateways Intrusion detection systems Wireless access points Telecommunication systems

4. Application servers such as: DNS DHCP SMTP Database

5. Other network devices such as: Mobile devices Scanners Printers Copiers Faxes

Baseline configurations shall be documented using checklists developed based on NIST SP 800-70 and Standards, as required. Change control shall be implemented for configurations by establishing a process for analyzing, authorizing and documenting changes.


MDHS shall maintain a current inventory of the components of the information system and relevant ownership information.


Security Policy 118 - MDHS IT Incident Response


Description

12/01/2014 1.0 Initial Policy 1/20/2016 2.0 Add SSA Guidelines 4/01/2016 3.0 Add OCSE Guidelines 8/22/2016 4.0 Update IRS Information A- New Pub 1075 July 2016 B-

Added Incident Response Info Purpose The purpose of this policy is to establish MDHS goals for handling potential or actual security events involving Internal Revenue Service (IRS) Federal Tax Information (FTI), Social Security Administration (SSA) and Office of Child Support Enforcement’s (OCSE) National Directory of New Hire (NDNH). Reference Mississippi Division of Information Technology Services (ITS) – Enterprise Security Policy IRS Publication 1075 – 9.3.8, 10.0 NIST 800-61r2 SSA TSSR Version 7.0 OCSE Security Addendum II.A.7 Scope All MDHS Employees and Contractors Responsible Party MDHS MIS Security Group, Directors, Managers, Supervisors, CIO, Director, Deputy Director Policy Statement MDHS will conduct incident response training and awareness for all personnel who have access to private data per Security Policy 116 – MIS Security Training. MDHS will test and exercise the incident response capability at least annually and document the results per Security Policy 101 – MIS Risk Management. MDHS personnel are required to immediately report security incidents, or potential breaches of private data to the MIS Security Group. The MIS Security Group will determine the severity of the event and if warranted notify the MDHS Incident Response Team which will consist of: MIS Security Group, MDHS Chief Information Officer and MDHS Deputy Director. The MDHS Incident Response Team will determine the severity of the incident and notify the following as appropriate.

I. Internal Revenue Service (IRS) – For Federal Tax Information (FTI) Upon discovering a possible improper inspection or disclosure of FTI, including breaches and security incidents, by a federal employee, a state employee, or any other person, the individual making the observation or receiving information must contact the office of the appropriate special agent-in-charge, TIGTA immediately, but no later than 24 hours after identification of a possible


issue involving FTI. Call the local TIGTA (Treasury Inspector General for Tax Administration) Field Division Office first. (Publication 1075, Section 10) IRS – For FTI (Continued) Concurrent to notifying TIGTA, the agency must notify the Office of Safeguards. Provide data as identified in IRS Publication 1075, Section 10.2.

TIGTA Treasury Inspector General for Tax Administration Ben Franklin Station P.O. Box 589 Washington, DC 20044-0589 Hotline Number: 1-800-589-3718 Telephone: 1-713-209-3711

The MDHS Incident Response Program for Federal Tax Information will include support for the IRS requirements listed below.

Publication 1075 – Section 9.3.8 “Incident Response”

o Incident Response Policies and Procedures - Section 9.3.8.1 o Incident Response Training - Section 9.3..8.2 o Incident Response Testing - Section 9.3.8.3 o Incident Handling - Section 9.3.8.4 o Incident Monitoring - Section 9.3.8.5 o Incident Reporting - Section 9.3.8.6 o Incident Response Assistance – Section 9.3.8.7 o Incident Response Plan – Section 9.3.8.8 o Information Spillage Response – Section 9.3.8.9

Publication 1075 – Section 10 “Reporting Improper Inspections or Disclosures” o General – Section 10.1 o Office of Safeguards Notification Process – Section 10.2 o Incident Response Procedures – Section 10.3 o Incident Response Notification to Impacted Individuals – Section 10.4 o FTI Suspension, Termination and Administrative Review – Section 10.5

II. Social Security Administration (SSA) – For SSA Data

If your agency experiences or suspects a breach or loss of PII or a security incident, which includes SSA-provided information, they must notify the State official responsible for Systems Security designated in the agreement. That State official or delegate must then notify the SSA Regional Office Contact or the SSA Systems Security Contact identified in the agreement. If, for any reason, the responsible State official or delegate is unable to notify the SSA Regional Office or the SSA Systems Security Contact within one hour, the responsible State Agency official or delegate must report the incident by contacting SSA’s National Network Service Center (NNSC) toll free at 877-697-4889 (select “Security and PII Reporting” from the options list). The EIEP will provide updates as they become available to SSA contact, as appropriate. Refer to the worksheet provided in the agreement to facilitate gathering and organizing information about an incident. (TSSR Version 7.0)


1. SSA Regional Office Jan Stearns Email: [email protected] Toll: (866) 331-4458

OR 2. SSA’s National Network Service Center (NNSC)

1-877-697-4889 Select Security and PII Reporting Option

III. Office of Child Support Enforcement (OCSE) – For National Directory of New

Hire (NDNH) Upon disclosure of NDNH information from OCSE to the state agency, the state agency is the responsible party in the event of a breach or suspected breach of the information. Immediately upon discovery, but in no case later than one (1) hour after discovery of the incident, the state agency shall report confirmed and suspected incidents, in either electronic or physical form, to the FPLS ISSO designated in the OCSE Security Addendum. The state agency is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with required state government breach response officials; notifying any other public and private sector agencies involved; responding to inquiries about the breach; resolving all issues surrounding the breach of NDNH information; and any other activities as required by OCSE. (OCSE Security Addendum II.A.7) OCSE – For NDNH (Continued)

1. The U.S. Department of Health and Human Services, Administration for Children and Families, Office of Child Support Enforcement Linda Boyer, Data Access and Security Manager Division of Federal Systems Office of Automation and Program Operations Office of Child Support Enforcement Administration for Children and Families 370 L’Enfant Promenade S.W.,4th Floor Washington, DC 20447 Email: [email protected] Toll: (202) 401-5410

MDHS will report all information security incidents to the ITS Information Security Division (ISD) as soon as possible. MDHS will follow reporting procedures described in the ISD Cyber Security Incident Reporting Guidelines document. The MDHS Security Team will offer advice and assistance to users of the FTI and any information system containing FTI for the handling and reporting of security incidents. MDHS Incident Response Team will implement appropriate incident responses including preparation, detection and analysis, containment, correlation, eradication, and recovery. Information about security incidents will not be discussed or shared in any way internally or outside of MDHS, except as compelled to do so as part of the formal investigation of the incident. Those discussions will be initiated by a member of the MDHS Incident Response Team, law enforcement, state or federal investigators.


Security Policy 119 - MDHS IT Maintenance


Description


Purpose This policy will identify the necessary maintenance security controls that must be implemented at MDHS. Reference IRS Publication 1075 9.10 Scope All MDHS Employees and Contractors Responsible Party MIS Personnel Policy Statement MDHS shall identify and monitor a list of maintenance tools and remote maintenance tools; R202 - MIS Maintenance Tools Inventory. Only authorized personnel may perform maintenance on MDHS information systems. Maintenance must be scheduled, performed and documented. MDHS shall annually review records or routine preventative and regular maintenance (including repairs) on the components of the information system with manufacturer or vendor specifications and/or MDHS requirements.


Security Policy 120 - MDHS IT Personnel Security Effective Date Revision

# Description


Purpose This policy sets the requirements for implementing personnel security controls. Reference IRS Publication 1075 Section 9.12. Scope MDHS Employees and Contractors. Responsible Party MDHS and MIS Administrators. Policy Statement MDHS shall categorize positions, assign a risk designation and screen personnel accordingly. MDHS shall complete the employee screening prior to granting access to any information systems. MDHS shall conduct exit interviews and use MDHS-PER-263 - MDHS Termination Form Property Checklist to revoke information systems access and ensure the return of all MDHS property and access means whenever employment is terminated. MDHS shall grant, modify and terminate system access per system specific access agreements.


Security Policy 121 – MDHS IT Scanning & Use of MFD Policy Effective Date Revision

# Description

9/10/2015 1.0 Initial Policy 1/16/2017 2.0 Added Requirement Prohibiting Use of MFDs for FTI 11/29/2017 3.0 Added IRS Requirements for MFD Configuration

Purpose This policy will identify the security requirements to protect the confidentiality of sensitive information when being scanned and stored.

Reference IRS Publication 1075 9.3.16.6, 9.4.4, 9.4.9; NIST 800-53 Revision 4 SC-8

Scope All MDHS Employees and Contractors

Responsible Party MIS Network Team, MIS Hardware Team and MIS Security Team

Definitions N/A

Policy Statement MDHS Employees and Contractors are prohibited from scanning and storing Federal Tax Information (FTI), National Directory of New Hire (NDNH) and Social Security Administration (SSA) information.

Use of Multi-Function Devices (MFDs – Copiers) by all MDHS Employees and Contractors is prohibited for processing (Copying, Faxing or Scanning) Federal Tax Information (FTI).

MDHS Configuration Requirements for MFDs Processing FTI - Source IRS Publication 1075

1. Least functionality controls that must be in place include disabling all unneeded Network protocols, services, and assigning a dedicated static IP address to the MFD or High Volume Printer.

2. Strong security controls should be incorporated into the MFD or High Volume Printer management and administration.


3. Access enforcement controls must be configured correctly, including access controls for file shares, administrator and non-administrator privileges, and document retention functions.

4. MFD's or High Volume Printers should be locked with a mechanism to prevent physical

access to the hard disk.

5. Firmware should be up to date with the most current firmware available and should be currently supported by the vendor.

6. Devices and print spoolers have auditing enabled, including auditing of user access and fax logs (if fax is enabled), and audit logs should be collected and reviewed by a security administrator (SIEM).

7. All FTI data in transit should be encrypted when moving across a WAN and within the

LAN.

8. Disposal of all hardware must follow IRS Publication 1075 Media Sanitization and Disposal Procedure requirements (see Section 9.3.10.6, Media Sanitization (MP-6), and Section 9.4.7, Media Sanitization).

IRS Required Controls for MFD Configuration – Source IRS Audit Guidelines NIST & SCSEM

1. Unsuccessful Login Attempts – Configured the MFD to lock user accounts after three consecutive failed login attempts. AC-7 and Test ID #MFD-12.

2. Audit Record Retention – Configure the High Volume Printer to enforce password

complexity policy to meet IRS Publication 1075 requirements. Update the following password-based authentication setting on all systems. AC-5 and Test ID #GENPRINT-06.

i. Minimum Password length is at least eight characters ii. At least one numeric and one special character iii. Mixture of at least one upper case and one lower case letter iv. Stores and transmits passwords only when encrypted v. Password minimum lifetime is one day vi. Standard account passwords to be changed at least every 90 days vii. Privileged account passwords to be changed at least every 60 days viii. Prevention of password reuse for 24 generations

3. Separation of Duties – Configure the administrator roles to ensure separation of duties for audit review and performing administration. AC-5 and Test ID #GENPRINT-11.

4. Remote Access – Configure the MFD to restrict remote management to only specified IP addresses. AC-17 and Test ID #GENPRINT-12.

5. Audit Review, Analysis and Reporting – Create and maintain a policy that requires all audit records to be reviewed at least weekly. AU-6 and Test ID #GENPRINT-14.


6. Audit Record Retention – Provision sufficient storage for the logs generated so that

log files will not fill up between log rotation intervals. Ensure logs are backed up, archived off of the system and retained for a minimum period of seven years per IRS Publication 1075 requirements. AU-11 and Test ID #GENPRINT-15.

7. Access Control for Output Devices – Set a locking mechanism or strategically set the MFD in an area where the hard drive is not accessible. PE-5 and Test ID #GENPRINT-16.

8. Transmission Integrity and Confidentiality – Ensure all data transfer between both endpoints is encrypted. SC-8 and Test ID #GENPRINT-18.

9. Content of Audit Records – Configure the MFD audit records to contain information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event and the identity of any individuals or subjects associated with the even. AU-3 and Test ID #MFD-03.


Security Policy 122 - MDHS IT System & Service Acquisitions Effective Date Revision

# Description


Purpose This policy will establish the requirements for system and services acquisition. Reference IRS Publication 1075 Section 9.15. Scope MDHS Employees and Contractors Responsible Party MDHS and MIS administration Policy Statement MDHS shall ensure that there is sufficient system security documentation. Information systems, that are used to process, store and transmit federal tax information, must employ security controls consistent with Safeguard computer security requirements. MDHS shall document and allocate as part of its capital planning and investment control process, the resources required to adequately protect the information system. For information systems containing FTI, MDHS shall manage the information system using a system development life cycle methodology per Security Standard 210 - System Development Life Cycle. All information system acquisition contracts must include security requirements and/or security specifications, either explicitly or by reference based on assessment of risk. All information system acquisition contracts must contain Exhibit 7, of the IRS Publication 1075, language as appropriate. External information system services must employ adequate security controls in accordance with IRS Publication 1075.


Security Policy 123 - MDHS IT Physical Security Effective Date Revision

# Description

12/01/2014 1.0 Initial Policy 4/30/2015 2.0 Revision to Add Physical Inspection Guidelines

Purpose This policy will establish the physical security requirements required to protect sensitive information at MDHS. Reference IRS Publication 1075 Sections 4.0, Guide 2; ITS ESP Part 1 Chapter 12 Scope All MDHS employees and contractors. Responsible Party IT Administrators, IT Managers, Human Resources. Policy Statement Access to MDHS physical premises for employees and approved contractors is provided via an electronic access control ID card (AP-43 Access Control ID Card Policy). MDHS has 24/7 security at the visitor entrance/exit. Visitors are required to sign-in with the MDHS security guard and must be escorted by an MDHS employee at all times. The visitor log shall include:

Name and organization of the visitor Signature of the visitor Form of identification Date of access Time of entry and departure Purpose of visit Name and organization of person visited

MDHS Human Resources will review the visitor log at minimum annually. The MDHS server room is protected by electronic access control card reader with employees granted access on a need to know basis. All windows located on the ground floor of buildings will be closed and locked at all times. If outsiders can see into a restricted area some form of obscurity has to be in place to prevent vison of screen. Examples include blinds, screens, curtains and privacy screens. MDHS information systems have UPS in place to support graceful shutdown and emergency power shutoff for information systems in case of emergency.


MDHS Physical Safeguards for Federal Tax Information (FTI)

• MDHS shall keep FTI and sensitive information physically separate from other information, labeled clearly and safeguarded.

• During business hours, authorized personnel shall serve as the second barrier between FTI, sensitive information, and unauthorized personnel. Authorized personnel will wear visible credentials.

• When not in use, FTI and sensitive information, shall be kept in locked rooms (locked interior area) and inside locked containers or file cabinets (locked container) accessible only by approved personnel.

Physical and Electronic Inspections MDHS Agency designated official will conduct periodic physical and electronic inspections and document the results. The inspections will be conducted to ensure there are no unauthorized devices or software connected to the MDHS network.


Security Policy 124 - MDHS IRS Publication 1075 Reporting Effective Date Revision

# Description


Purpose This policy will identify the MDHS reporting requirements under IRS Publication 1075. Reference IRS Publication 1075 7.0 Scope MDHS MIS Responsible Party MIS Security Team Policy Statement MDHS shall submit their SPR every six (6) years, or when significant changes occur in the safeguard program. The SPR should include all data in sections 7.2.1 through 7.2.10 in IRS Publication 1075. The SPR package, including the SPR template (The most current template may be obtained from IRS.GOV keyword “Safeguards”), transmittal letter and all associated attachments must be submitted electronically to: [email protected]. Subsequent SPRs triggered by a significant change must be submitted at least 45 days before the implementation of the significant change. MDHS shall submit their SAR, annually, on the template (The most current template may be obtained from IRS.GOV keyword “Safeguards”) developed by the Office of Safeguards, along with a letter on the agency’s letterhead signed by the head of the agency or delegate, and dated. The SAR should include all data in sections 7.4.1 through 7.4.7 in IRS Publication 1075. MDHS Child Support Enforcement Division (CS) must submit the SAR for the annual processing period March 1 through February 28, by March 31. MDHS Economic Assistance Division (EA) must submit the SAR for the annual processing period September 1 through August 31, by September 30. MDHS CS Division must submit an updated CAP on March 31 (as an attachment to the SAR), and on September 30. MDHS EA Division must submit an updated CAP on March 31 (as an attachment to the SAR), and on September 30 (as an attachment to the SAR).

mailto:[email protected]


Security Policy 125 – MDHS Additional IT Security Controls Effective Date Revision

# Description


Purpose This policy will identify the security requirements for certain existing and emerging technologies. Reference IRS Publication 1075 9.18.6 - 9.18.11 Scope All MDHS Employees and Contractors Responsible Party MIS Security Team Policy Statement As a part of the annual risk assessment, MDHS will consider additional security controls where baseline controls are deemed insufficient in minimizing residual risk.


Security Policy 126 – MDHS IRS Federal Tax Information Statistical Reporting Effective Date Revision

# Description


Purpose This policy will set the requirements for reporting statistics of federal tax information. Reference IRS Publication 1075 Section 12.0 Scope MDHS Employees and Contractors Responsible Party MDHS Administrators Policy Statement MDHS shall ensure that statistics in reports are in a form that cannot be associated with, or otherwise identify, directly or indirectly, a particular taxpayer. MDHS shall restrict FTI access to only authorized personnel. MDHS shall not release outside of the agency statistical tabulations with cells containing data from fewer than three returns. MDHS shall not release tabulations that would pertain to specifically identified taxpayers or would tend to identify a particular taxpayer, either directly or indirectly. MDHS must make statistical information requests under IRC 6108 and address such requests to:

Director, Statistics of Income Division Internal Revenue Service, OS:P:S 1111 Constitution Avenue, NW. Washington, DC 20224


Security Policy 127 – MDHS IT FAX Policy Effective Date Revision

# Description


Purpose This policy will identify the security requirements to protect the confidentiality of sensitive information when being transmitted or receiving information via facsimile (fax).

Reference IRS Publication 1075 9.3.16.6, 9.4.4; NIST 800-53 Revision 4 SC-8

Scope All MDHS Employees and Contractors

Responsible Party MIS Security Team

Definitions N/A

Policy Statement MDHS employees will transmit information by fax only when the transmission is time-sensitive and delivery by electronic transmission or regular mail will not meet the reasonable needs of the sender or recipient.

Any fax containing sensitive information is prohibited.

MDHS employees will take reasonable steps to send the fax transmission to the intended recipient. This includes verifying that the recipient is aware of an incoming fax and the fax was received.

MDHS employees are prohibited from faxing Federal Tax Information (FTI), National Directory of New Hire (NDNH) and Social Security Administration (SSA) information.

All faxes containing sensitive information must include an MDHS cover sheet identifying the name of the sender, the recipient, and the agency approved MDHS Confidential Warning Paragraph disclaimer.


Security Policy 128 - MDHS IT Contingency Planning Effective Date Revision

# Description


Purpose This policy establishes the contingency planning policy, for managing risks from information asset disruptions, failures, and disasters through the establishment of an effective contingency planning program. The contingency planning program helps MDHS implement security best practices with regard to business continuity and disaster recovery. Reference IRS Publication 1075, Section 9.3.6 Scope All MDHS Employees, Contractors and Subcontractors. Responsible Party MDHS Administration, MDHS MIS Team Policy Statement All MDHS IT Systems must be supported by contingency planning standards that clearly address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. MDHS must develop and maintain a contingency plan for the company information assets that:

1. Identifies essential missions and business functions and associated contingency requirements.

2. Provides recovery objectives, restoration priorities, and metrics. 3. Addresses contingency roles, responsibilities, assigned individuals with contact

information. 4. Addresses maintaining essential missions and business functions despite an information

asset disruption, compromise, or failure. 5. Addresses eventual, full information asset restoration without deterioration of the security

measures originally planned and implemented. 6. Is reviewed and approved by designated officials within the organization. 7. Distributes copies of the contingency plan to relevant system owners and stakeholders. 8. Coordinates contingency planning activities with incident handling activities. 9. Reviews the contingency plan for the information asset on an annual basis. 10. Revises the contingency plan to address changes to the organization, information asset,

or environment of operation and problems encountered during contingency plan implementation, execution, or testing.

11. Communicates contingency plan changes to relevant system owners and stakeholders.

MDHS must train personnel in their contingency roles and responsibilities with respect to the information asset and provide refresher training on an annual basis.


MDHS must test and/or exercise the contingency plan for the information asset annually to determine the plan’s effectiveness and the organization’s readiness to execute the plan. In addition, MDHS IT Systems must review the contingency plan test/exercise results and initiate corrective actions. MDHS must establish an alternate storage site including necessary agreements to permit the storage and recovery of information asset backup information. MDHS must establish an alternate processing site including necessary agreements to permit the resumption of information asset operations for essential missions and business functions within defined recovery times and recovery points when the primary processing capabilities are unavailable. In addition, MDHS will ensure that equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the organization-defined time period for resumption. MDHS must establish alternate telecommunications services including necessary agreements to permit the resumption of information asset operations for essential missions and business functions within defined recovery time and recovery points when the primary telecommunications capabilities are unavailable. MDHS must conduct backups of user-level, system-level, and information asset documentation (including security-related documentation) within defined recovery time and recovery point objectives. In addition, MDHS IT Systems must protect the confidentiality and integrity of backup information at the storage location. MDHS must provide for the recovery and reconstitution of the information asset to a known state after a disruption, compromise, or failure.


Security Policy 129 – MDHS IRS Background Investigation Requirements Effective Date Revision

# Description


Purpose This policy will set the requirements for IRS Background Investigation requirements. Reference IRS Publication 1075 Section 5.1.1 and 5.1.2. Scope MDHS Employees and Contractors that utilize or have access to Federal Tax Information. Responsible Party MDHS Administrators. Policy Statement Determining the suitability of individuals who require access to U.S. government Sensitive But Unclassified (SBU) information, including FTI, is a key factor in ensuring adequate information security. Prior to granting access to FTI, and periodically thereafter, the Agency must complete a suitability background investigation which is favorably adjudicated by the Agency. State and local agencies which are not required to implement the federal background investigation standards must establish a personnel security program that ensures a background investigation is completed at the appropriate level for any individual who will have access to FTI using the guidance below as the minimum standard and a reinvestigation conducted within 10 years at a minimum.

• Agencies must develop a written policy requiring that employees, contractors and sub-contractors (if authorized), with access to FTI must complete a background investigation that is favorably adjudicated. The policy will identify the process, steps, timeframes and favorability standards that the agency has adopted. The agency may adopt the favorability standards set by the FIS or one that is currently used by another state agency, or the Agency may develop its own standards specific to FTI access.

• The written background investigation policy must establish a result criterion for each

required element which defines what would result in preventing or removing an employee’s or contractor’s access to FTI.

• Agencies must initiate a background investigation for all employees and contractors prior

to permitting access to FTI.


• State agencies must ensure a reinvestigation is conducted within 10 years from the date of the previous background investigation for each employee and contractor requiring access to FTI.

• Agencies must make written background investigation policies and procedures as well

as a sample of completed employee and contractor background investigations available for inspection upon request.

• Background investigations for any individual granted access to FTI must include, at a

minimum:

A. FBI fingerprinting (FD-258) - review of Federal Bureau of Investigation (FBI) fingerprint results conducted to identify possible suitability issues. (Contact the appropriate state identification bureau for the correct procedures to follow.) A listing of state identification bureaus can be found at: https://www.fbi.gov/about-us/cjis/identity-history-summary-checks/state-identification-bureau-listing

This national agency check is the key to evaluating the history of a prospective candidate for access to FTI. It allows the Agency to check the applicant’s criminal history in all 50 states, not only current or known past residences.

B. Check of local law enforcement agencies where the subject has lived, worked, and/or attended school within the last 5 years, and if applicable, of the appropriate agency for any identified arrests.

The local law enforcement check will assist agencies in identifying trends of misbehavior that may not rise to the criteria for reporting to the FBI database but is a good source of information regarding an applicant.

C. Citizenship/residency – Validate the subject’s eligibility to legally work in the United States

(e.g., a United States citizen or foreign citizen with the necessary authorization).

Employers must complete USCIS Form I-9 to document verification of the identity and employment authorization of each new employee hired after November 16, 1986, to work in the United States. Within 3 days of completion, any new employee must also be processed through E-Verify to assist with verification of his/her status and the documents provided with the Form I-9. The E-Verify system is free of charge and can be located at www.uscis.gov/e-verify. This verification process may only be completed on new employees. Any employee with expiring employment eligibility must be documented and monitored for continued compliance.

The requirements of Section 5.1.1 pertaining to initial and periodic background investigations for individuals before authorizing access to FTI is effective upon date of this publication (October 1, 2016). Implementation of the new standards, including the development of written policies and verification that all individuals with access to FTI have an appropriate level of investigation and initiating new required investigations to comply with the requirement may occur within one year.

https://www.fbi.gov/about-us/cjis/identity-history-summary-checks/state-identification-bureau-listing

https://www.fbi.gov/about-us/cjis/identity-history-summary-checks/state-identification-bureau-listing


Upon publication, agencies should initiate action to establish a written background investigation policy that conforms to the standards of Section 5.1.1. Agencies should also identify all employees or contractors who currently have access to FTI and have not completed the required personnel security screening and initiate a background investigation which meets these standards. Agencies should initiate a background investigation for all newly hired employees and contractors who will require access to FTI to perform assigned duties as soon as practicable upon notification of the requirement.

Agency implementation efforts to achieve full compliance with the minimum background investigation requirement may vary based on based on state legislation, budget and labor relation hurdles. Some state agencies have published standards which meet or exceed these requirements while others may have minimal or no standards established for background investigations. The expectation is that all agencies receiving FTI will take the steps necessary towards full compliance with this requirement.

As a part of the annual Safeguard Security Report, (SSR), and during an agency on-site review, compliance with and efforts underway to achieve compliance will be evaluated. Any deficiencies will be documented in the agency’s Corrective Action Plan, (CAP), and there will be an expectation that each agency response includes an update on progress and a plan to continue moving forward towards compliance.


Security Policy 130 - MDHS IT SSA Audit Record Guidelines Effective Date Revision

# Description

5/04/2015 1.0 Initial Policy 1/20/2016 2.0 Deletion of Audit Logs

Purpose This policy establishes guidelines for information that will captured in the Audit Records that track viewing of Social Security Administration information. These SSA Audit Records are created for both State Verification Exchange System-State Data Exchange (SVES-SDX) and for State On Line Query (SOLQ). These Audit records will be maintained for a minimum of five years and should not be manually altered/deleted by IT Managers, IT Administrators, Database Administrators, Programmers or Systems Analysts. Reference SSA “Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration” (Version 6.0.2 April 2014). Scope MDHS MIS staff with a need to know or as requested by MDHS Field Operations or SSA staff. Responsible Party MDHS MIS staff and Field Operations staff. Policy Statement SSA requires State Agencies to implement and maintain a fully automated audit trail system (ATS). The system must be capable of creating, storing, protecting and efficiently retrieving and collecting records identifying the individual user who initiates a request for information from SSA or accesses SSA-provided information. At a minimum, individual audit trail records must contain the date needed (including date and time stamps) to associate each query transaction or access to SSA-provided information with its initiator, their action, if any, and the relevant business purpose/process (e.g. SSN verification for SNAP or TANF). Each entry in the audit file must be stored as a separate record, not overlaid by subsequent records. The Audit Trail System must create transaction files to capture all input from interactive internet applications which access or query SSA-provided information. Access to the audit file must be restricted to authorized users with a “need to know.” Audit file data must be unalterable (read-only), maintained for a minimum of three (preferably seven) years, and must NOT be manually deleted by IT Managers, IT Administrators, Database Administrators, Programmers or Systems Analysts. Information in the audit file must be retrievable by an automated method. Agencies must have the capability to make audit file information available to SSA upon request. Agencies must back-up audit trail records on a regular basis to ensure their availability. Agencies must apply the same level of protection to backup audit files that apply to the original files. If the Agency retains SSA-provided information in a database, or if certain data elements within the Agency’s system indicate to users that SSA verified the information, the Agency’s system just also capture an audit trail record of users who viewed SSA-provided information stored with the Agency’s system. The retrieval requirements for SSA-provided information at rest and the retrieval requirements for regular transactions are identical.


Below is information that outlines the contents of the MDHS SSA Audit Record files. SVES-SDX Effective April 2015, all viewing of SVES-SDX data and SVES requests creates an Audit Log record that contains the information outlined below.

-Social Security Number (SSN) of the Client -SSA Claim Account Number (CAN) -Request Date (Date the Information was Viewed or Requested) -Request Time (Time the Information was Viewed or Requested) -Source of Request -MDHS Client Number -MDHS Case Load Number -MDHS Unit -MDHS Full Service Office -MDHS Case Number -User Personal Control Number (PCN) -Security Key User ID -Title II Request -Title XVI Request -TANF Flag -SNAP Flag -Applicant Flag -Recertification Flag An Audit Report can be produced using this data upon request for use by authorized staff with a need to know. SOLQ For SOLQ production, MDHS plans to implement an Audit Record for all viewing of State On Line Query (SOLQ) data. The Audit Log record will contain the information outlined below.

-Social Security Number (SSN) of the Client -SSA Claim Account Number (CAN) -Request Date (Date the Information was Viewed or Requested) -Request Time (Time the Information was Viewed or Requested) -RACF User ID -System -RACF Name -MDHS County Office -MDHS District -Client Name -Client Date of Birth -Client Case Number -Client Sex -Alien Indicator -Category of Assistance -Response Date


-Response Status -Response Social Security Number -Type Code -File Name -Out of State -MDHS Client Number -MDHS Benefit Month -User Personal Control Number (PCN) An Audit Report can be produced using this data upon request for use by authorized staff with a need to know.


Security Policy 131 – MDHS Remote Access, Telework and Alternate Work Site Policy


Description


Purpose This policy sets the requirements for Remote Access, Telework and Alternate Work Sites for the MDHS Agency.

Remote access to MDHS systems provides many benefits. It allows personnel traveling on business to connect to MDHS information resources and provides the capability for telecommuting. However, remote access to MDHS via VPN poses a risk of intrusion into MDHS systems by unauthorized persons, as well as interception of the data being transferred through the remote connection. Direct connectivity to the Internet or other network outside of MDHS systems lacks the protections afforded by MDHS’s Agency Firewall and other perimeter protections. Thus, additional security measures must be implemented to mitigate the increased security risks presented by remote access.

The purpose of this plan is to formalize Security Policies in use at MDHS that relate to Remote Access and Teleworking while connected to MDHS systems. Specifically, MDHS seeks to develop a Security Policy that describes the following:

1) Allowed methods of remote access to the MDHS Systems and Network. 2) Usage restrictions and implementation guidance for each allowed remote access method. 3) How MDHS monitors for unauthorized remote access. 4) How MDHS authorizes remote access to the MDHS Network prior to connection. 5) How MDHS enforces requirements for remote connections to the MDHS Network.

Reference IRS Publication 1075 Sections 4.7 and 9.3.1.12. Scope MDHS Employees and Contractors Responsible Party IT administrators Definitions N/A Policy Statement

1) All remote connectivity must be authenticated using multi-factor authentication such as the use of passwords in conjunction with tokens (i.e. FortiToken). Currently, the MDHS VPN is configured to use Active Directory credentials and the FortiAuthenticator for 2-factor authentication.


2) All confidential data transferred over a remote access connection must be encrypted to protect it from unauthorized disclosure. Encryption of this data must meet the MDHS policy.

3) All security policies for use in the MDHS office environment must also be observed when using or connecting to MDHS resources while outside the MDHS office environment. The following activities are prohibited when teleworking:

a) Connecting to open, unencrypted wireless networks.

b) Connecting to unknown or untrusted wireless or wired networks.

c) Working in public locations such as coffee shops, hotel lobbies and airports.

4) No personal equipment, including personal home computers, should be used to connect to MDHS’s information resources or process MDHS data.

5) MDHS confidential data is not to be stored on any non-MDHS computers or portable disk drives.

6) It is the responsibility of associates to ensure that their access devices and remote connections are not used by unauthorized persons (including family members).

7) Information users may not change operating system configurations, install new software, alter equipment or add to it in any way (e.g., upgraded processors, expanded memory, or wireless cards), or download software from systems outside of MDHS onto MDHS remote access computers.

8) To prevent unauthorized users from accessing confidential MDHS information via open connections, MDHS information users must log out after completing a remote session. They must also wait until they receive a confirmation of their log-out command from the remotely connected MDHS machine before they leave the computer they are using.

9) All VPN connection attempts will be monitored 24x7 using the MDHS SIEM.

10) All users authorized to telework must first sign a copy of this form acknowledging the responsibility of the user.


Security Policy 132 – MDHS Duplication of Sensitive Data Policy


Description


Purpose This policy sets the requirements for duplicating sensitive data for the MDHS Agency. Reference IRS Publication 1075 3.3, 4.3; NIST 800-53 Revision 4 AC-16

Scope MDHS Employees and Contractors Responsible Party MDHS MIS Security Group, Directors, Managers, Supervisors Definitions N/A Policy Statement All MDHS Employees and Contractors are prohibited from printing (with the exception of Authorized Reports), copying, screen printing, and photographing Federal Tax Information (FTI), National Directory of New Hire (NDNH) and Social Security Administration (SSA) information.


Enterprise Security Acronym List AES Advanced Encryption Standard

CAP Corrective Action Plan

FTI IRS Federal Tax Information

IRS Internal Revenue Service

IT Information Technology

ITS Division of Information Technology Services

LAN Local Area Network

PSK Mode Pre-shared key also known as Personal mode.

SRR IRS Safeguard Review Report

SSR IRS Safeguard Security Report

SSID Security set identifier (network name)

SSL Secure Sockets Layer

Triple DES Data Encryption Standard.

WAP Wireless Access Point

WEP Wired Equivalent Privacy – security algorithm for wireless networks

WPA Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed to secure wireless computer networks.


Enterprise Security Definition Glossary CAP Corrective Action Plan - The IRS will provide each agency with a

pre-populated Corrective Action Plan (CAP) along with the interim SRR.

Encryption The procedure used to convert data from its original form to a format that is unreadable and/or unusable to anyone without the tools/information needed to reverse the encryption process.

Event Any observable occurrence in a network or system.

Firewall A device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.

FTI Federal Tax Information described by the Internal Revenue Service

Incident A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Information System

A collection of computer hardware, software, firmware, applications, information, communications and personnel organized to accomplish a specific function or set of functions under direct management control.

LAN Local Area Network – computer network that interconnects computers in a limited area such as a home, computer lab, or office building using network media.

Media Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts onto which information is recorded, stored, or printed within an information system (NIST 800-53R4). Any medium, electronic or non-electronic where data is stored.

Mobile Device Any electric and/or battery operated device that can be easily transported and that has the capability for storing, processing, and/or transmitting data including Laptops, Portable Digital Assistants (PDAs), Tablet/Mini PCs, Blackberries, Smartphones, and Hand-Held PCs.

Private Data Federal Taxpayer Information (FTI), internal MDHS agency data, or State of MS data.

PSK Mode Pre-shared key also known as Personal mode.


Removable Media

Device or media that is readable and/or writeable by the end user and is able to be moved from computer to computer without modification to the computer. This includes flash memory devices such as thumb drives, cameras, MP3 players and PDAs; removable hard drives (including hard drive-based MP3 players); optical disks such as CD and DVD disks; floppy disks and any commercial music and software disks.

Security The protection of the integrity, availability, and confidentiality of information; and the protection of Information Technology (IT) assets from unauthorized use, modification, damage, or destruction.

Sensitive Information

Information which, if made available to unauthorized persons, may adversely affect MDHS, its programs, or participants served by its programs. Examples include, but are not limited to, personal identifiers, financial information, Federal Tax Information and Social Security information.

SRR IRS Safeguard Review Report – This report is created by the IRS, or a third party representative, to characterize the most recent IRS audit findings.

SSR IRS Safeguard Security Report – This report is created by the IRS, or a third party representative, to characterize all IRS IT Security requirements for State and Local Government Agencies that receive FTI.

SSID Security set identifier (network name)

SSL Secure Sockets Layer/TLS – Transport Layer Security – protocols which are designed to provide communication security over the internet.

Triple DES Data Encryption Standard.

Virus A self-replicating, malicious program that attaches itself to executable programs.

WAP Wireless Access Point – device that allows wireless devices to connect to a wired network using Wi-Fi.

WEP Wired Equivalent Privacy – security algorithm for wireless networks

WPA Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed to secure wireless computer networks.


References Congress. (1975, June 26). Final Rule: Title IV-D of the Social Security Act: Child Support

Enforcement. Retrieved January 13, 2014, from Office of the Child Support Enforcement: http://www.acf.hhs.gov/programs/css/resource/final-rule-title-iv-d-of-social-security-act-child-support-enforcement

Internal Revenue Service. (2014). Tax Informaiton Security Guidelines for Federal, State and Local Agencies. Internal Revenue Service. Department of the Treasury. Retrieved from http://www.irs.gov/uac/Safeguards-Program

Mississippi Department of Informaion Technology Services. (2013). State of Mississippi Enterprise Security Policy. Jackson: Mississippi Department of Information Technology Services.

NIST. (2012). Computer Security Incident Handeling Guide. Special Publicaiton 800-61 Revision 2. Department of Commerce.

NIST. (2012). Guide for Conducting Risk Assessments (Special Publication 800-30 Revision 1 ed.). Gathersburg, MD: Department of Commerce.

NIST. (2013). Special Publication 800-53r4. Gathiersburg MD: US Department of Commerce.


ESP Review Record 2018

Date Reviewed

2016 ESP & ESP-F-G Reviews

1-24-2018 Debra Fuqua



Date Reviewed


1-12-2016 Mike Bullard










Date Reviewed














1-24-2018 Debra Fuqua

Documents

ENterprise Security PolicY