COMMENT DUE DATE:
May 28, 2009
DATE:
May 14, 2009
Renee Jackson (405) 522-1205
Dena Thayer PMU Manager (405) 521-4326
Pat McCracken PMU Specialist (405) 522-1017
RE:
Non-APA 09-K
The proposed policy is Non-APA . This proposal is not subject to the Administrative Procedures Act
The proposed effective date is 7-1-09.
SUBCHAPTER 41. DATA SERVICES DIVISION
OKDHS:2-41-4 [AMENDED]
OKDHS:2-41-6 [AMENDED]
OKDHS:2-41-13 through OKDHS:2-41-15 [AMENDED]
SUMMARY:
OKDHS:2-41-4 is revised to improve readability.
OKDHS:2-41-6 is revised to reflect changes in the name and structure of Data Services Division (DSD) units.
OKDHS:2-41-13 through OKDHS:2-41-15 are revised to reflect name change of DSD unit.
SUBCHAPTER 41. DATA SERVICES DIVISION
OKDHS:2-41-4. Definitions
Revised 6-15-08 6-1-09
The following words and terms when used in the Part, shall have the following meaning, unless the context clearly indicates otherwise.
"Application" means a software program designed to enable end users to carry out a specific task or function.Word processors, spreadsheets, graphics programs, and data managers are application examples.
"Automated information systems" means computerized processes which collect, store, calculate, and display or report information about business processes.
"Bus"means a subsystem that transfers data between computer components inside a computer or between computers. In a network, a bus is a transmission path on which signals are dropped off or picked up at every device attached to the line. Only devices addressed by the signals pay attention to them; the others discard the signals.
"Channel Service Unit/Digital Service Unit (CSU/DSU)" means a system that converts electronic computer protocol to digital telephone protocol and vice versa.
"Confidential data" means any piece of data or set of data, the misuse of which violates existing laws or policy, violates client confidentiality or privacy, creates a liability exposure for Oklahoma Department of Human Services (OKDHS), or creates the opportunitity for fraud or other illegal activities.
"Controller" means a device that acts as the electrical and logical interface between data terminal equipment and a local area network bus.
"DB2 (Database-2)" means the InternationaI Business Machines' Machines (IBM’SIBM) strategic product for general purpose information storage, including database management.It is a reasonably complete implementation of the relational technology.The most strategic component or aspect of DB2 is the interface Structured Query Language (SQL). DB2 is properly viewed as an SQL engine.
"Data base Database architecture" means overall plan and design for OKDHS data structure.
"Data Security" means processes and procedures to ensure data collected and maintained by OKDHS is protected from inadvertent or intentional damage or misuse.
"Hardware" means terminals, printers, personal computers, CSU/DSU, controllers, routers, hubs, servers, and central site equipment.
"Information Management System (IMS)" means an IBM software product providing an environment for data base database and transaction processing and data base database management.
"ITB" means invitation to bid.
"Local Area Network (LAN)" means a hardware and software environment consisting of a central computer, referred to as a server, that has multiple personal computer workstations, referred to as client(s), and allows or supports telecommunications among the clients.
"Network" means a configuration of data processing devices and software connected for information exchange.
"PC" means personal computer.
"Remote access" means a technology that allows the capability to dial-in or dial-out of a computing capability or network.
"Router" means a device that performs a function similar to a local or remote bridge. Routing, however, occurs at Layer 3 of the Open Systems Interconnection (OSI) reference model.
"Server" means main controller for a PC hooked to a LAN.
"Virus" means an unauthorized data processing application which may alter or destroy computerized data and/or equipment.
"Wide Area Network (WAN)" means telecommunications network composed of multiple LANs connected via server, routers, hubs, and phone lines.
"Workstation" means the individual OKDHS employee's PC and printer.
OKDHS:2-41-6. Data Services Division (DSD) Units
Revised 6-15-08 6-1-09
(a) Enterprise Application Services.Enterprise Application Services (EAS) is responsible for consultation, design, development, and maintenance for most Oklahoma Department of Human Services (OKDHS) data processing applications and systems.EAS and the appropriate divisions are responsible for approving all OKDHS applications that process on the host and client server environment supported by Data Services Division (DSD).When contracting these services, EAS provides management and staff.The services performed are:
(1) research;
(2) consultation;
(3) maintenance;
(4) enhancement; and
(5) new programming.
(b) Enterprise Support Services.Enterprise Support Services (ESS) is comprised of five sections:
(1) Production Services provides technical support for the set up and validation of all production batch and file transfer jobs;
(2) Operations:
(A) oversees all central site equipment such as network, servers, and mainframe;
(B) oversees daily production schedules; and
(C) conducts systems performance analyses to set benchmarks and thresholds for increased performance;
(3) Remote Site Services installs all equipment and software in local offices; and
(4) Problem Determination and Resolution:
(A) works to resolve any highly complex problems that arise needing cross unit analysis; and
(B) is operational 24 hours a day, seven days a week, excluding holidays.; and
(5) Facilities:
(A) maintains an inventory of all OKDHS data processing hardware and software including:
(i) manufacturer;
(ii) model;
(iii) serial number; and
(iv) warranty end date;
(B) submits the inventory to Office of State Finance (OSF) annually per Section 41.5e of Title 62 of the Oklahoma Statutes (62 O.S. 41.5e); and
(C) secures appropriate maintenance contracts each fiscal year for OKDHS data processing hardware and software.
(c) Enterprise Technical Services.Enterprise Technical Services (ETS) is responsible for technical support of information technology (IT) services provided throughout the OKDHS computer network environment.Sections within ETS include: Database Services, Infrastructure Platform and Software Services, Architecture and Design Services, Security Services, and Telecommunications Services.The specialists in ETS work in conjunction with other DSD units in their efforts to support the OKDHS environment, and team with other DSD units and OKDHS divisions to collaborate in partnership on OKDHS projects and processes.Services provided by ETS include:
(1) generation, security, availability, and recoverability of OKDHS host-based Information Management System (IMS), Oracle, Database 2 (DB2), and Structured Query Language (SQL), server data base database and data stored and maintained in the data bases databases.Host in this context refers to the data base database servers residing in the OKDHS Data Center at 1110 N.E. 12th Oklahoma City, OK;
(2) support, security, availability, and recoverability of the OKDHS network environment that includes servers residing at the OKDHS Data Center, in remote field locations, third party software, and the telecommunications equipment and circuits used for connectivity across the network;
(3) support for decentralized data security activities including the decentralized data security representatives;
(4) design, development, maintenance, and security of the Infonet or Internet applications as related to the access of information or data stored and maintained in any of the host based servers; and
(5) support for OKDHS data sharing committees whose activities relate to data sharing at the intra-agency, interagency, interstate, and non-OKDHS levels.;
(6) develop and ensure technology implementation plans and designs support the OKDHS enterprise architecture;
(7) develop and document DSD processes and standards in collaboration with other DSD units and sections;
(8) review and evaluate each technology solution and new data processing technology supported by DSD to ensure compliance with OKDHS DSD enterprise strategies;
(9) approve all OKDHS requisitions for all non-standard electronic data processing hardware and software to ensure that the acquisition is compatible with the current data processing environment and consistent with future planning and standards; and
(10) establish technology hardware and software standards for OKDHS.
(d) Customer Relations Services and Support.Customer Relations Services and Support (CRS):
(1) facilitates the delivery of quality solutions and services provided by DSD through information sharing and feedback ensuring technology supports the business of OKDHS and customers;
(2) measures customer service success;
(3) continuously improves communications within OKDHS;
(4) promotes and markets technology solutions;
(5) supports all OKDHS IT budgeting and fiscal operations;
(6) supports traditional business services, such as:
(A) general accounting;
(B) accounts payable;
(C) claims processing;
(D) budgeting;
(E) purchase authorization system maintenance;
(F) requisition and purchase of goods and services;
(G) contract administration;
(H) inventory and asset management;
(I) human resource services; and
(J) training;
(7) completes OKDHS annual Long-Range Electronic Data Processing Plan (Plan) per 62 O.S. 41.5e;
(8) processes any required updates of the Plan during the fiscal year;
(9) submits the Plan to OSF each year as a part of the OKDHS overall budget process per OKDHS:2-41-12; and
(10) maintains an inventory of all OKDHS data processing hardware and software including:
(A) manufacturer;
(B) model;
(C) serial number; and
(D) warranty end date.
(e) Architecture and Design.Architecture and Design (A&D) is composed of four sections:Security, Data, Delivery, and Applications that:
(1) develop technology implementation plans;
(2) collaborate with other DSD units and sections to develop and document DSD processes and standards;
(3) review each technology solution supported by DSD to ensure compliance with OKDHS DSD enterprise strategies;
(4) ensure designs support the OKDHS enterprise architecture;
(5) approve all OKDHS requisitions for all non-standard electronic data processing hardware and software to ensure that the acquisition is compatible with the current data processing environment and consistent with future planning and standards;
(6) review and evaluate new data processing technology; and
(7) establishe technology hardware and software standards for OKDHS.
(fe) Research and Strategy.In collaboration with other units within DSD, Research and Strategy:
(1) performs research in support of the OKDHS DSD Enterprise Architecture;
(2) develops strategies for the implementation of needed products and services to support OKDHS business requirements, such as strategies for:
(A) privacy;
(B) security;
(C) delivery; and
(D) technological solutions;
(3) develops long-term strategic planning and support;
(4) performs risk assessment of recommended technology solutions; and
(5) collaborates with CRS Business Development to establish new marketing and promotional material for DSD.
(gf) Business Quality.Business Quality staff is integrally involved with all areas of DSD to coach and ensure that quality practices are followed as a fundamental part of daily practice.Business Quality:
(1) enforces quality in the products and services offered by OKDHS DSD; and
(2) provides business continuity initiatives for OKDHS by:
(A) implementing and monitoring the primary components of quality which are:
(i) process definition;
(ii) requirements management;
(iii) project tracking;
(iv) change management;
(v) risk management; and
(vi) performance measurements; and
(B) instituting business continuity practices into OKDHS systems; and
(3) establishes new practices that are well planned, thoroughly defined, and measured to ensure ensuring not only compliance, but to continually optimize the continual optimization of processes to improve thereby improving customer service.
(hg) Project Management Office.The Project Management Office (PMO):
(1) delivers professional project management services to OKDHS divisions through the delivery of new and existing information technology projects; and
(2) manages the OKDHS portfolio management process including the communication, facilitation, and management of OKDHS Information Technology Governance Board projects.
OKDHS:2-41-13.Data processing application systems maintenance and development process
Revised 6-15-08 6-1-09
Oklahoma Department of Human Services (OKDHS) data processing application systems maintenance and development projects which utilize Data Services Division (DSD) hardware and software are coordinated and approved by DSD.All DSD data processing support is coordinated through the DSD Customer Relations Services and Support (CRS) coordinator assigned to the requesting office or division.
(1) Project initiation.The office or division requiring data processing support and along with the CRS coordinator define the basic requirements of the project.The user division initiates Form 05PM024W, Data Processing Service Request.DSD assigns a number unique to Form 05PM024W and establishes the appropriate cost center code for cost allocation of the resources utilized by the project.
(2) Requirements.The CRS coordinator works with the requesting division to establish detailed requirements for the service requested.The coordinator assists the requesting division in preparing any necessary federal planning documents, funding requests, or both. If it is determined that part or all of the project is to be out-sourced, the coordinator assists the requesting division in preparing an invitation to bid (ITB) and evaluating bid responses.
(3) Project plan.If the project is accomplished utilizing DSD resources, the (CRS) coordinator:
(A) establishes a project plan;
(B) develops any additional sub-projects;
(C) routes the project plan, work request, and project requirements to the appropriate DSD unit for assignment of resources;
(D) negotiates the project priority; and
(E) monitors the project until completion.
OKDHS:2-41-14. Acquisition of data processing equipment, software, and supplies
Revised 6-15-08 6-1-09
(a) Division support.The Data Services Division (DSD) provides support to the other divisions of the Oklahoma Department of Human Services (OKDHS) by assisting in the acquisition, installation, and maintenance of data processing hardware, software, and supplies.Form 23CO102E, Department of Human Services Requisition, The requesting division must complete the wed-based Purchase Requisition Form Entry page located on the OKDHS InfoNet for all data processing purchases is coordinated and approved by DSD to ensure purchases are compatible with the current data processing environment and consistent with the (Plan) and OKDHS standards.
(b) Disagreements. In those instances where the user division disagrees with the DSD recommendation, the issue is referred to the Information Services Division chief information officer (CIO).The CIO tries to resolve the differences by mutual agreement.If the differences are not resolved by the CIO, then the issue is referred to the OKDHS Director for resolution.
(c) Office automation.DSD coordinates development of office automation systems and ensures acquisitions and processes allow for interconnectivity of all equipment.OKDHS moves toward a total integrated system encompassing:
(1) word processing;
(2) electronic mail;
(3) host computer center communication;
(4) personal computing;
(5) communication;
(6) video teleconferencing;
(7) graphics;
(8) data update, storage, and retrieval; and
(9) mobile technology.
(d) Supplies.DSD:
(1) assists other appropriate divisions and units to ensure state contracts are available to cover needs for technology supplies that cannot be purchased through the standard office supply ordering process;
(2) provides input and assistance to the Department of Central Services for establishment of a statewide personal computer hardware contract; and
(3) secures non-encumbered contracts for other Local Area Networks (LANs) and Wide Area Networks (WANs) related hardware and software needs.
(e) Maintenance contracts.DSD establishes OKDHS maintenance contracts for data processing hardware and software including terminals, printers, personal computers, Channel Service Unit (CSU) and Data Service Unit (DSU) controllers, routers, hubs, servers, central site equipment, and all standard purchase software associated with the LAN/WAN LAN or WAN and central site data processing.
(f) Hardware and software inventory.An inventory of all hardware and software installed statewide is maintained by DSD so that maintenance contracts for all OKDHS hardware and software are secured appropriately each year and to meet the annual state agency reporting requirement per OKDHS:2-41-12. All divisions are expected to forward a copy of receiving report documentation to DSD Enterprise Support Services for all hardware and software acquired. Any move, change, addition, or deletion of hardware or software is promptly reported.The inventory information maintained includes:
(1) purchase authorization number;
(2) manufacturer;
(3) model number;
(4) serial number;
(5) description;
(6) cost;
(7) warranty end date;
(8) location installed; and
(9) technical and network information.
(g) Hardware.DSD is responsible for:
(1) approving all purchase or lease of data processing hardware;
(2) having the necessary contracts available to expedite the ordering and provide standardization;
(3) preparing and coordinating bid documents, and reviewing all such documents which are prepared by users;
(4) completing Form 23CO102E the Purchase Requisition Form Entry Page on the OKDHS InfoNet for data processing hardware and sending it to the requesting user division for purchase authorization number, approval, and processing in those instances where non-DSD funds are used.Form 23CO102E This web-based document is submitted through normal processing channels to Support Services Division (SSD) Contracts and Purchasing; and
(5) coordinating delivery of hardware.
(h) Installation. DSD assists in:
(1) Planning.DSD assists in the installation planning and the acquisition of the resources for the installation of electronic data processing hardware and software and the installation of the hardware, software, and cabling necessary to provide LAN or WAN connectivity; and
(2) Site preparation.DSD assists in an advisory capacity to identify the identification of necessary physical requirements for installation of electronic data processing equipment, such as electrical, air conditioning, and space.Users are responsible for all modifications, such as electrical modifications or changes necessary for the installation of their electronic data processing equipment.
(i) Maintenance service calls. All problems with supported LAN or WAN hardware and software are reported through the DSD Call Center.The Call Center logs the problem and places a trouble call with the appropriate DSD unit or contractor to resolve the problem.
(j) Data processing equipment moves.When it becomes necessary to relocate an office or data processing equipment within an office, planning and acquisition of the equipment and resources are initiated a minimum of eight weeks in advance of date of the required move, installation, or both.
(1) The OKDHS division or office requiring the move notifies the DSD Customer Relations Services and Support (CRS) assigned coordinator of the proposed move.The Human Service Center human services center (HSC) routes a move request to the area director and Field Operations Division (FOD) for approval.FOD coordinates the HSC move with DSD and any other affected divisions.This notification includes:
(A) the physical locations the equipment is being moved from and to;
(B) the equipment identification such as type of equipment, serial numbers, bar codes, and finding location of the equipment;
(C) contact person name and phone number; and
(D) network connectivity such as KIDS, and Human Resources Information System (HRIS).
(2) Acquisition of additional equipment or connectivity resources may be required for the items listed in (A) - (F).:
(A) Electrical electrical capacity. Electrical capacity is reviewed to determine if additional capacity is required.;
(B) Cabling cabling. The relocating office must arrange the cabling with the wiring contractor, currently the OKDHS Support Services Division (SSD) Facilities Management Services Construction Unit.At least one month’s month notification is normally required by the contractor prior to the installation date.The DSD CRRM CRS assigned coordinator is available to assist with planning.;
(C) Network network devices such as routers, hubs, CSU and DSUs are ordered at least eight weeks prior to the desired installation date by the relocating office with the assistance of DSD.;
(D) Data data lines.At least four weeks prior to the desired installation date, DSD arranges for the appropriate phone company to install the necessary data lines.;
(E) Work work stations.Work stations are ordered at least eight weeks prior to the desired installation date by the relocating office with the assistance of DSD.; and
(F) Printers printers.Printers are ordered at least eight weeks prior to the desired installation date by the relocating office with the assistance of DSD.
(3) The relocating office is responsible for arranging for the packing, unpacking, transportation, and installation of all new and existing equipment.
(4) The relocating office must notify SSD Departmental Services Unit Asset Management and Accounting of the bar codes and serial numbers of all equipment which is acquired, moved, or both.
(k) Software. Responsibilities of DSD regarding software purchases include:
(1) reviewing and recommending software purchases, leases, or both;
(2) approving all computer software acquisitions prior to purchase;
(3) preparing Form 23CO102E the web-based document, Purchase Requisition Form Entry Page, to order the software and transmitting the paperwork to the respective division for purchase authorization number, approval, and processing in those instances where non-DSD funds are used;
(4) providing recommendations for training and consulting support on a standard set of software;
(5) providing recommendations for methods of obtaining installation support of all software;
(6) providing maintenance contracts for all supported software, when deemed necessary. DSD is not responsible for maintenance of programs developed and written by users, although it is available to provide technical support as feasible; and
(7) tracking all software licenses ensuring compliance with vendor copyright laws and licensing requirements.
OKDHS:2-41-15. Data security
Revised 6-15-08 6-1-09
(a) General policy. All data collected and maintained by Oklahoma Department of Human Services (OKDHS) is owned by and becomes the responsibility of OKDHS.The objective of data security is to ensure the data collected and maintained by OKDHS is protected from inadvertent or intentional damage or misuse.Data is accessible, subject to legal restrictions and the appropriate approval processes as outlined in this regulation, to all entities, both governmental and non-governmental, as needed to accomplish OKDHS objectives.There is no expressed or implied expectation of privacy for users of any OKDHS computer network, computer equipment, or other computer resources.All actions or keystrokes of such users may be monitored at any time.
(1) Data security is the responsibility of all individuals who interact in any way with OKDHS computer systems, computer resources, networks, or data. These individuals have the basic responsibility to protect data and conserve resources they use, or come in contact with, in the course of performing their assigned duties, and they are responsible for utilizing and implementing practices that support and comply with OKDHS data security guidelines.
(2) Data ServicesDivision (DSD) Enterprise Technical Services (ETS) Security Services Section, in conjunction with the OKDHS Information Security Officer Office (ISO), is responsible for drafting, obtaining OKDHS management's approval, disseminating, and updating OKDHS data security guidelines.
(3) DSD, in conjunction with the OKDHS ISO, has lead responsibility for data security as it relates to data in machine readable form.The ETS Security Services Section assists with monitoring data security practices and interfacing with Electronic Data Processing (EDP) auditors.
(b) Delegation of data ownership. For the purposes of interpreting confidentiality restrictions imposed by law, establishing data classification, and approving access to data, ownership of data is delegated by OKDHS to the OKDHS division director, whose divisioncollects andmaintains the data.
(c) Classification.
(1) All data is classified as either confidential or non-confidential data.
(A) Confidential data is any piece of data or set of data, the misuse of which violates existing laws or policy, violates client confidentiality or privacy, creates a liability exposure for OKDHS, or creates the opportunities for fraud or other illegal activity.
(B) Non-confidential data is any piece of data or set of data which is not confidential.
(2) Guidelines for classification are listed in (A) - (C) of this paragraph.
(A) A data set is classified according to the most sensitive detail it includes.
(B) Information recorded in several formats of media, for example source document, electronic record, or report has the same classification regardless of format or media.
(C) OKDHS complies with Oklahoma's Open Records Act. Certain designated persons who are authorized to release records may request the normal classification category be waived, subject to approval by the owner of the data.
(d) Assignment of responsibilities.Data security administration consists of three primary entities which are in turn supported by several functional area entities.The three primary entities are the owner(s) of the various collections of data, the OKDHS ETS Security Services security services manager, who is responsible for DSD ETS Security Services Section, and a network of decentralized data security representatives.The specific responsibilities of each entity are listed in (1) - (3) of this subsection.
(1) Responsibilities of the owner are described in (A) - (B).
(A) The owner of a collection of data is the OKDHS division director responsible for the collection and maintenance of that data.Shared collection and maintenance of data implies shared ownership.
(B) Data processed by the computerized systems must have an identified owner, division, director, and the assignment must be documented.The division director may delegate ownership responsibilities to another individual.The owner of data has the authority and responsibility to:
(i) keep data security administration advised of the delegation of ownership responsibilities;
(ii) classify data according to legal and policy restrictions per (Cc) of this Section;
(iii) determine and authorize access and utilization criteria based on the classification; and
(iv) specify and communicate access and utilization criteria to the ETS Security Services security services manager.
(2) Responsibilities of the ETS Security Services security services manager are described in (A) - (B).
(A) The ETS Security Services security services manager is responsible for processing and storage of the information used to provide data security for computerized data and resources.
(B) The ETS Security Services security services manager has the responsibility to administer controls as specified by the owner.These responsibilities include:
(i) administering access controls to data and resources;
(ii) providing procedural safeguards;
(iii) providing method of assigning unique logon identification (ID) numbers and encrypted passwords to ensure user accountability;
(iv) furnishing reports of access violations as required;
(v) providing security awareness education to owners and users;
(vi) maintaining information concerning which users have access to what data and resources; and
(vii) alleviating disagreements between users and owners concerning access.
(3) The responsibilities of the decentralized security representative are described in (A) - (B).
(A) Decentralized security representatives are named by the owner and coordinate security activities with the ETS Security Services security services manager.Each division director appoints, as additional duty, a decentralized security representative. The DSD ETS Security Services security services manager is advised by memo of the appointment and each time a new representative is appointed.
(B) Decentralized security representatives are typically responsible for:
(i) assisting the ETS Security Services security services manager within the guidelines of OKDHS policy;
(ii) assisting in development of security designs for user requirements which fall within his or her scope;
(iii) testing and exercising the security controls which fall within his or her scope;
(iv) documenting security controls within his or her scope;
(v) administering access controls to data and resources owned by his or her division;
(vi) providing procedural safeguards;
(vii) providing a method of assigning unique logon IDs and encrypted passwords to ensure user accountability;
(viii) reporting violations, abuse of logon IDs, and potential breaches in security to appropriate authorities and providing follow-up activity if needed;
(ix) setting up new users and terminating users as appropriate, including notifying DSD Security Services Section of new, moved, or terminated employees in the division if those employees have or need IDs established in the DSD environment;
(x) re-setting user passwords, as needed;
(xi) complying with all security controls established by the owner of the data and DSD ETS Security Services Manager security services manager;
(xii) training the users of the Local Area Network (LAN) on security control established for the LAN; and
(xiii) interfacing with and providing information to auditors.
(e) Functional responsibilities.
(1) ETS Security Services Section is the organizational unit within DSD responsible for maintaining the security of OKDHS computerized data and ensuring a valid and secure network environment within the guidelines of OKDHS policy.The Security Services ETS security services manager is a member of this organizational unit and is in charge of the Data Security Services Section.
(2) The ETS Infrastructure Platform and Software Section maintains the current hardware, operating system(s) and third party software configuration, and administration.
(3) The Telecommunications Services Section maintains the LAN and WAN for OKDHS.
(4) The Database Services Section maintains the database repositories in use at OKDHS.
(5) The Production Services Section of Enterprise Support Services (ESS) is responsible for the scheduled production processing, job set up, job check out, and output distribution.Production services activities performed by other units within OKDHS are also covered under this standard.Production processing is handled in a secure manner.Production Services is responsible for:
(A) accessing data and resources through the production facilities as developed by the Enterprise Technical Services ETS Unit and Enterprise Application Services area; and
(B) maintaining production libraries.
(6) The Operations section Section of ESS is responsible for operation of the computer equipment in the Data Center.The Operations Section is responsible for accessing data and resources through the facilities as developed by the Enterprise Technical Services unit ETS Unit.
(7) Enterprise Application Services develops and maintains OKDHS applications, plans and designs efficient and cost effective data processing systems, and advises on design techniques and practices for OKDHS.Enterprise Application Services is responsible for:
(A) ensuring security requirements are addressed in the design and development process;
(B) designing the security requirements for the applications according to the established standards and working with the Security Service Manager ETS security service manager to implement these requirements; and
(C) determining if modifications to existing systems will have an impact on security, and if so, notifying the Security Service Manager ETS security service manager.
(8) Customer Relationship Management (CRM) Relations and Support (CRS) is responsible for coordination and communication with user divisions and other agencies.CRM CRS serves as a liaison between the OKDHS user community and DSD Enterprise Technical Services ETS.The Enterprise Technical Services ETS Unit, Telecommunications Services Section is responsible for the OKDHS networks and for maintaining network security, in conjunction with the ETS Security Services Section.
(9) Users include employees of OKDHS, approved vendors, and other approved individuals who operate, use, or interface in any way with the OKDHS computer systems, computer resources, or computerized data.The users are responsible for:
(A) complying with all security controls established by the owner and data security;
(B) using the data only for the accomplishment of official duties in the manner approved by the owner;
(C) keeping logon IDs and passwords used to access data and resources confidential including not sharing passwords; and
(D) notifying the Security Service Manager ETS security service manager of abuse or sharing of logon ID numbers, passwords, or both.
(f) Remote Access.
(1) In OKDHS computing environment, the remote access capability is prohibited unless expressly approved in writing by the responsible authority.
(A) Responsible authority is the entity responsible for a computing capability or resource, such as mainframe, LAN server, router based network.This is a division administrator, division director, or designee.
(B) Reviewing authority is Data Services Division Enterprise Technical Services DSD ETS Unit.This unit drafts proposed standards and policy, establishes data security guidelines, approves remote access implementation approaches, and performs compliance reviews.
(2) Remote access control seeks to ensure unauthorized access to OKDHS data or network capability is not achieved.Approved users of the remote access capability are able to perform approved functions from non-network locations.The remote access capability must have access to or from only one controlled entry point at a server level or higher, not at a user's personal computer (PC) or workstation; thus, a modem or compatible device cannot be used in conjunction with a user's workstation or PC which is connected to OKDHS network.
(3) Responsible authorities' approach to implementing remote access capability must be documented in writing and submitted for review and approval by the reviewing authority.Any changes to the approaches are reviewed and approved.These implementation approaches must support the objectives outlined in (1) - (3) of this paragraph.
(4) Use of wireless remote access devices are only used in conjunction with encryption to and from the workstation dialing up.
(g) Virus protection.All workstations and servers connected to the OKDHS network have terminate and stay resident (TSR) anti-virus software installed on them.In this environment, virus checking occurs when new media is introduced into the workstation environment.The software automatically eradicates known viruses. Stand alone work stations, work stations not connected to the OKDHS network, may or may not have this anti-virus software installed.Recommendations for virus control are listed in (1) through (3) of this subsection.
(1) Employees do not introduce machine-readable media, such as diskettes, files, and bulletin board downloads into their computing environment at work unless these items are directly related to their work and are scanned for viruses prior to use.
(2) No work related media created by, or received from, sources outside the immediate computing environment are introduced into the workstation environment until it has first been scanned for computer viruses using DSD approved anti-virus software.In a TSR protected environment, this scanning is done automatically.Any media which is taken from the immediate work environment, for example to a class or home, must be scanned before it is reintroduced to the workstation environment.If an employee suspects that non-approved staff may be using the employee's workstation, the employee contacts the DSD Security Unit Services Section or help desk for assistance on password protecting or locking the workstation when the employee leaves the area for an extended period of time.
(3) If an employee thinks that a workstation is infected with a virus, the DSD Call Center is notified of the problem.
(h) LAN security.DSD Security Services Section assists divisions with security issues and requirements on LAN.The person administratively responsible for the LAN is required to authorize a decentralized data security representative.This person is responsible for interfacing with DSD and communicating the requirements for access to data that is owned by OKDHS or other agencies.Any LAN connected through the communications network to any other LAN or mainframe in OKDHS has stringent controls placed upon it.These controls are for the intent of deterring any unauthorized access to OKDHS information. DSD data security administration provides advice and consultation to the division establishing a LAN environment regarding:
(1) risk analysis;
(2) security policy;
(3) disaster recovery;
(4) information security;
(5) training of users;
(6) physical security;
(7) emergency preparedness; and
(8) external audit and review.
(i) Network security.Except for virtual private networking (VPN) connections as described in (k) of this Section, all networks that have accessibility to OKDHS data are subject to compliance with OKDHS data security guidelines documented in these regulations.Compliance with this provision constitutes a 'trusted relationship' among the respective networks.Under this'trusted relationship,' the repetitious checking of user ID and passwords to re-authenticate a user's authority and access capabilities are not required.The objective of network security is to ensure the data collected and maintained by OKDHS and OKDHS computing resources are protected from inadvertent or intentional damage or misuse.DSD has lead responsibility for network security for OKDHS.DSD utilizes various methods for ensuring the OKDHS network is secure from unauthorized access.Methods for ensuring the OKDHS network is secure from unauthorized access include, but are not limited to:
(1) encryption of all OKDHS data that travel on 'One-Net' or the Internet unless approval to the contrary is granted by the owner of the data and DSD data security administration;
(2) password protection of any routers that have remote access capabilities into the OKDHS network;
(3) a front-end system that provides for definition of valid users for dial-up activity to the OKDHS host computer system; and
(4) a single Internet access point to and from the OKDHS network which is protected by an Application Layer Internet Gateway (ALIG) capability.
(j) Outgoing Internet usage.Access to the Internet from the OKDHS network is through a single access point.This access point is an ALIG firewall.This firewall is managed by the DSD Enterprise Technical Services ETS Unit.Restrictions that apply to the use of the Internet are listed in (1) - (7) of this subsection.
(1) Only authenticated users are allowed access out through the OKDHS firewall.
(2) User authentication requires a user ID and password.
(3) Internet usage activities which are not job related are:
(A) kept to a minimum;
(B) not done during an employee's work time; and
(C) limited to Internet activities that do not violate OKDHS:2-1-7(g)(I)(4) regarding conduct unbecoming a public employee.
(4) Certain Internet sites and capabilities are blocked, made unavailable, and usage may be monitored. There is no expectation of privacy when accessing the Internet.A record of all sites which a user accesses is logged and archived.
(5) Aside from scheduled maintenance activities and unscheduled problem resolution activities, access to the Internet is available 24 hours per day, every day.
(6) Any workstation on OKDHS network which is used to access the Internet must have OKDHS standard anti-virus software running on it.
(7) Encryption must be used when transmitting confidential OKDHS data over the Internet. Any plans to transmit confidential data must be discussed with, and approved by the OKDHS Information Security Officer ISO, the data owner(s), and the ETS Security Services Section.
(k) Incoming Internet usage.Processes and controls pertaining to incoming Internet usage requests are established on a case by case basis depending on the specific security requirements with the exception of VPN connections.VPNs, which create encrypted tunnels, are allowed to link users at both trusted and untrusted sites and networks.
