Skip to main content

Library: Policy

OKDHS:2-41-15. Data security

Revised 9-1-09

(a) General policy.  All data collected and maintained by Oklahoma Department of Human Services (OKDHS) is owned by and becomes the responsibility of OKDHS.  The objective of data security is to ensure the data collected and maintained by OKDHS is protected from inadvertent or intentional damage or misuse.  Data is accessible, subject to legal restrictions and the appropriate approval processes as outlined in this regulation, to all entities, both governmental and non-governmental, as needed to accomplish OKDHS objectives.  There is no expressed or implied expectation of privacy for users of any OKDHS computer network, computer equipment, or other computer resources.  All actions or keystrokes of such users may be monitored at any time.

  • (1) Data security is the responsibility of all individuals who interact in any way with OKDHS computer systems, computer resources, networks, or data.  These individuals have the basic responsibility to protect data and conserve resources they use, or come in contact with, in the course of performing their assigned duties, and they are responsible for utilizing and implementing practices that support and comply with OKDHS data security guidelines.

  • (2) Data Services Division (DSD) Enterprise Technical Services (ETS) Security Services Section, in conjunction with the OKDHS Information Security Office (ISO), is responsible for drafting, obtaining OKDHS management's approval, disseminating, and updating OKDHS data security guidelines.

  • (3) DSD, in conjunction with the ISO, has lead responsibility for data security as it relates to data in machine readable form.  The ETS Security Services Section assists with monitoring data security practices and interfacing with Electronic Data Processing (EDP) auditors.

(b) Delegation of data ownership.  For the purposes of interpreting confidentiality restrictions imposed by law, establishing data classification, and approving access to data, ownership of data is delegated by OKDHS to the OKDHS division director, whose division collects and maintains the data.

(c) Classification.

  • (1) All data is classified as either confidential or non-confidential data.

    • (A) Confidential data is any piece of data or set of data, the misuse of which violates existing laws or policy, violates client confidentiality or privacy, creates a liability exposure for OKDHS, or creates the opportunities for fraud or other illegal activity.

    • (B) Non-confidential data is any piece of data or set of data which is not confidential.

  • (2) Guidelines for classification are listed in (A) - (C) of this paragraph.

    • (A) A data set is classified according to the most sensitive detail it includes.

    • (B) Information recorded in several formats of media, for example source document, electronic record, or report has the same classification regardless of format or media.

    • (C) OKDHS complies with Oklahoma's Open Records Act.  Certain designated persons who are authorized to release records may request the normal classification category be waived, subject to approval by the owner of the data.

(d) Assignment of responsibilities.  Data security administration consists of three primary entities which are in turn supported by several functional area entities.  The three primary entities are the data owner, the decentralized security representative (DSR), and ETS Security Services.    Data processed by the computerized systems must have an identified owner, such as division director, area director, county director, or unit administrator, and the ownership assignment must be documented with ETS Security Services.

  • (1) The data owner may, at his or her discretion, delegate data security administration responsibilities to a decentralized security representative (DSR).  The delegation of a DSR must be in writing and submitted to ETS Security Services using Form 055C002E, Decentralized Access Control Security Agreement.  The data owner or his or her delegated DSR is responsible for:

    • (A) ensuring data is collected and stored in a manner that meets all federal and state laws and OKDHS policy;

    • (B) classifying data according to legal and OKDHS policy restrictions;

    • (C) determining and authorizing access and utilization criteria based on the classification; and

    • (D) specifying and communicating access and utilization criteria to the ETS Security Services manager.

  • (2) The ETS Security Services manager is responsible for:

    • (A) processing and filing all requests for access including approvals and denials; and

    • (B) administering controls as specified by the owner.  These responsibilities include:

      • (i) administering access controls to data and resources;

      • (ii) providing procedural safeguards;

      • (iii) providing a method of assigning unique logon identification (ID) numbers and encrypted passwords to ensure user accountability;

      • (iv) furnishing reports of access violations as required;

      • (v) assisting the ISO in providing security awareness education to owners and users;

      • (vi) maintaining information concerning which users have access to what data and resources; and

      • (vii) alleviating disagreements between users and owners concerning access.

  • (3) The DSR is appointed by the data owner and coordinates security activities with the ETS Security Services manager.  The DSR is responsible for:

    • (A) assisting the ETS Security Services manager within the guidelines of OKDHS policy;

    • (B) assisting in development of security designs for user requirements which fall within his or her scope;

    • (C) testing and exercising the security controls which fall within his or her scope;

    • (D) documenting security controls within his or her scope;

    • (E) administering access controls to data and resources owned by his or her division;

    • (F) providing procedural safeguards;

    • (G) supporting the assignment of unique logon IDs and encrypted passwords to ensure user accountability;

    • (H) reporting violations, abuse of logon IDs, and potential breaches in security to appropriate authorities and providing follow-up activity if needed;

    • (I) establishing new users and terminating users as appropriate, including notifying DSD Security Services of new, moved, or terminated employees;

    • (J) complying with all security controls established by the owner of the data and DSD ETS Security Services manager;

    • (K) training the users of the Local Area Network (LAN) on security control established for the LAN; and

    • (L) interfacing with and providing information to auditors.

(e) Functional responsibilities.

  • (1) ETS Security Services Section is the organizational unit within DSD responsible for maintaining the security of OKDHS computerized data and ensuring a valid and secure network environment within the guidelines of OKDHS policy.  The ETS Security Services manager is a member of this organizational unit and is in charge of the Data Security Services Section.

  • (2) The ETS Infrastructure Platform and Software Section maintains the current hardware, operating system(s) and third party software configuration, and administration.

  • (3) The Telecommunications Services Section maintains the LAN and Wide Area Network (WAN) for OKDHS.

  • (4) The Database Services Section maintains all database repositories in use at OKDHS.

  • (5) The Production Services Section of Enterprise Support Services (ESS) is responsible for the scheduled production processing, job set up, job check out, and output distribution.  Production services activities performed by other units within OKDHS are also covered under this standard.  Production processing is handled in a secure manner.  Production Services is responsible for:

    • (A) accessing data and resources through the production facilities as developed by the ETS Unit and Enterprise Application Services (EAS) Unit; and

    • (B) maintaining production libraries.

  • (6) The Operations Section of ESS is responsible for operation of the computer equipment in the Data Center.  The Operations Section is responsible for accessing data and resources through the facilities as developed by the ETS Unit.

  • (7) EAS develops and maintains OKDHS applications, plans for and designs data processing systems, and advises on design techniques and practices for OKDHS.  EAS is responsible for:

    • (A) ensuring security requirements are addressed in the design and development process;

    • (B) designing the security requirements for the applications according to the established standards and working with the ETS security architect and ETS Security Services manager to implement these requirements; and

    • (C) determining if modifications to existing systems will have an impact on security, and if so, notifying the ETS Security Services manager.

  • (8) Customer Relations and Support (CRS) is responsible for coordination and communication with user divisions and other agencies.  CRS serves as a liaison between the OKDHS user community and DSD ETS.

  • (9) The Telecommunications Services Section is responsible for all OKDHS networks and WANs and supporting network security, in conjunction with the ETS Security Services Section.

  • (10) Users include employees of OKDHS, vendors, contractors, and other individuals who operate, use, or interface in any way with the OKDHS computer systems, computer resources, or computerized data.  The users are responsible for:

    • (A) complying with all security controls established by appropriate authority;

    • (B) using the data only for the accomplishment of official duties in the manner approved by the owner;

    • (C) keeping logon IDs and passwords used to access data and resources confidential including not sharing passwords; and

    • (D) notifying the ETS Security Services manager of abuse or sharing of logon ID numbers, passwords, or both.

  • (11) Project Management Office (PMO):

    • (A) focuses on project managers leading technology teams in the development and implementation of business applications as directed by the Information Technology (IT) Governance Board;

    • (B) assists the organization in learning to work in an environment where resources and team members are assigned to work on projects that involve multiple units; and

    • (C) is responsible for:

      • (i) the portfolio management of all IT projects;

      • (ii) ensuring security requirements are identified and incorporated in all OKDHS projects; and

      • (iii) ensuring those security requirements are according to established OKDHS policy and standards by working with the ETS security architect and Security Services manager to implement these requirements.

(f) Remote Access.

  • (1) In OKDHS computing environment, the remote access capability is prohibited unless expressly approved in writing by the division director or DSR.

  • (2) Remote access control seeks to ensure unauthorized access to OKDHS data or network capability is not achieved.  Approved users of the remote access capability are able to perform approved functions from non-network locations.  The remote access capability must have access to or from only one controlled entry point at a server level or higher, not at a user's personal computer (PC) or workstation; thus, a modem or compatible device cannot be used in conjunction with a user's workstation or PC which is connected to OKDHS network.

(g) Virus protection.  All workstations and servers connected to the OKDHS network have terminate and stay resident (TSR) anti-virus software installed on them.  In this environment, virus checking occurs when new media is introduced into the workstation environment.  The software automatically eradicates known viruses.  Stand alone work stations, work stations not connected to the OKDHS network, may or may not have this anti-virus software installed.  Recommendations for virus control are listed in (1) through (3) of this subsection.

  • (1) Employees do not introduce machine-readable media, such as diskettes, files, and bulletin board downloads into their computing environment at work unless these items are directly related to their work and are scanned for viruses prior to use.

  • (2) No work related media created by, or received from, sources outside the immediate computing environment are introduced into the workstation environment until it has first been scanned for computer viruses using DSD approved anti-virus software.  In a TSR protected environment, this scanning is done automatically.  Any media which is taken from the immediate work environment, for example to a class or home, must be scanned before it is reintroduced to the workstation environment.  If an employee suspects that non-approved staff may be using the employee's workstation, the employee contacts the DSD Security Services Section.

  • (3) If an employee thinks that a workstation is infected with a virus, the DSD Help Desk is notified of the problem.

(h) LAN security.  DSD Security Services Section assists divisions with security issues and requirements for LANs.  Any LAN connected through the communications network to any other LAN or mainframe in OKDHS has stringent controls placed upon it.  These controls are for the intent of deterring any unauthorized access to OKDHS information.  DSD ETS Security Services Unit provides advice and consultation to the division establishing a LAN environment regarding:

  • (1) risk analysis;

  • (2) security policy;

  • (3) disaster recovery;

  • (4) information security;

  • (5) training of users;

  • (6) physical security;

  • (7) emergency preparedness; and

  • (8) external audit and review.

(i) Network security.  All networks that have accessibility to OKDHS data are subject to compliance with OKDHS data security guidelines documented in these regulations.  Compliance with this provision constitutes a 'trusted relationship' among the respective networks.  Under this 'trusted relationship,' the repetitious checking of user ID and passwords to re-authenticate a user's authority and access capabilities are not required.  The objective of network security is to ensure the data collected and maintained by OKDHS and OKDHS computing resources are protected from inadvertent or intentional damage or misuse.  DSD has lead responsibility for network security for OKDHS.  DSD utilizes various methods for ensuring the OKDHS network is secure from unauthorized access.  Methods for ensuring the OKDHS network is secure from unauthorized access include, but are not limited to:

  • (1) encryption of all OKDHS data that travels over the Internet;

  • (2) password protection of any routers that have remote access capabilities into the OKDHS network;

  • (3) a front-end system that provides for definition of valid users for dial-up activity to the OKDHS host computer system;

  • (4) a single Internet access point to and from the OKDHS network which is protected by firewall; and

  • (5) a prohibition of personal equipment connected to any portion of the LAN or WAN.  This opens OKDHS to civil liabilities and threatens the safety and security of all network resources.

(j) Outgoing Internet usage.  Restrictions that apply to the use of the Internet are listed in (1) - (5) of this subsection.

  • (1) Only authenticated users, with an active OKDHS user ID and password, are allowed access out through the OKDHS firewall.

  • (2) Certain Internet sites and capabilities are blocked, made unavailable, and usage is monitored.  There is no expectation of privacy when accessing the Internet.  A record of all sites a user accesses is logged and archived.

  • (3) Aside from scheduled maintenance activities and unscheduled problem resolution activities, access to the Internet is available at all times.

  • (4) Any workstation on OKDHS network which is used to access the Internet must have OKDHS standard anti-virus software running on it.

  • (5) Encryption must be used when transmitting OKDHS data over the Internet.  Any plans to transmit data must be worked through ETS Security Services.

(k) Incoming Internet usage.  Processes and controls pertaining to incoming Internet usage requests are established by ETS Security Services on a case by case basis depending on the specific business need and security requirements.

(l) Mobile devices.  A mobile device is any small computing device which includes, but is not limited to, laptop and tablet computers, personal digital assistants (PDA), and smart-phones.  A mobile device is convenient, allowing the user to work from almost any location.  The restriction of no personal equipment on the OKDHS network extends to mobile devices.  Users in possession of an OKDHS mobile device must:

    • (A) protect the mobile device from theft and/or unauthorized use.  The device may contain sensitive and/or privileged information on both employees and OKDHS clients;

    • (B) ensure that the device remains encrypted in accordance with OKDHS policy and procedures;

    • (C) control and protect the device at all times.

      • (i) A mobile device must not be left unprotected in the passenger compartment of an automobile.  If the user has no other option, it is stored it in the locked trunk.

      • (ii) When in public, the user keeps the device off the floor and in the user's possession at all times.  If it must be put down, the user places the device between his or her feet or at least against his or her leg so the user is aware of it;

    • (D) not store client or employee identifiable and personal data on the mobile device.  If a user must save data because of a client visit or other official duty, the data must be removed or downloaded to the appropriate location, business application or user's U drive, as soon as possible.  Data, both business and personal, is not secure when it remains stored on the hard drive of a mobile device;

    • (E) keep the mobile devise in the proper bag or carrying case and in the user's possession at all times when traveling.

      • (i) Mobile devices cannot be checked baggage for air or ground travel.

      • (ii) When in transit or at airports, users must:

        • (I) pay special attention to the care and upkeep of the mobile device;

        • (II) keep aware of the device at all times, especially while going through security;

        • (III) hold the device until the person in front has cleared the metal detector; and

        • (IV) keep the device in sight when it emerges on the other side of the screener.  If possible, request it be hand-checked.

      • (iii) When in hotels, store the mobile device safely, such as in a drawer, closet, suitcase, or room safe; and

    • (F) when a mobile device is lost or stolen, report the loss or theft immediately to:

      • (i) local authorities;

      • (ii) his or her immediate supervisor; and

      • (iii) OKDHS Information Security Office.

(m) E-mail usage.  The purpose of this subsection is to identify the circumstances under which a user may use the OKDHS electronic mail (e-mail) system, define what OKDHS considers acceptable use and conduct in utilizing e-mail, provide clear communication of OKDHS expectations with respect to what is and what is not acceptable use, and minimize the risk of offensive or inappropriate e-mail.

    • (A) The OKDHS e-mail system is the property of the state of Oklahoma.  Users are authorized to use e-mail consistent with its intended purpose.  Because OKDHS users are to devote full time to their assigned duties, personal use of e-mail is limited.  Excessive use of e-mail for personal purposes is prohibited.

    • (B) Solicitation of any type, via e-mail, by a user is prohibited.  E-mail must not be used to convey information about commercial ventures, or religious or political causes.

    • (C) Users must not utilize e-mail to send messages that serve to:

      • (i) contribute to an intimidating or offensive workplace; or

      • (ii) threaten, make derogatory statements, or otherwise discuss others' race, national origin, sexual orientation, age, disability, religious or political beliefs, gossip, or otherwise undermine harmonious business relationships.

    • (D) The author loses control of an e-mail's duplication and distribution by others once the e-mail has been sent.

    • (E) All messages sent via e-mail are the exclusive property of OKDHS.  Messages are monitored, archived, and can be retrieved to be used in court proceedings, disciplinary proceedings, or any other legitimate OKDHS business and may be subject to disclosure under the Open Records Act.

    • (F) Users have no reasonable expectation of privacy regarding e-mail messages.  OKDHS will, with or without prior notice, monitor a user's e-mail.  All e-mail is automatically stored on the OKDHS network system.  Deleted messages may be restored and read by OKDHS for any reason.

    • (G) The appropriate division director or DSR must contact ETS Security Services to review a user's e-mail messages.

    • (H) Users must not utilize OKDHS e-mail to send non-work related e-mails, known as SPAM.

    • (I) No e-mail or other electronic communications may be sent which attempt to hide the identity of the sender, or represent the sender as someone else or from another company.

    • (J) It is strictly prohibited to send unsolicited e-mail messages or chain e-mails.

Back to Top