Skip to main content

COMMENT DUE DATE:  

August 13, 2009

DATE: 

August 6, 2009

Renee Jackson (405) 522-1205

Dena Thayer   PMU Manager   (405) 521-4326

Pat McCracken   PMU Specialist   (405) 522-1017

RE:  

Non-APA WF 09-K

It is very important that you provide your comments regarding the DRAFT COPY of policy by the comment due date. Comments are directed to *STO.LegalServices.Policy@okdhs.org

The proposed policy is  Non-APA .  This proposal is not subject to the Administrative Procedures Act

This material was originally circulated on May 28, 2009.Additional revisions have been made to these regulations.The wording that is different from the May 28, 2009 circulation is highlighted in turquoise.

It is very important that you provide your comments regarding the DRAFT COPY of policy by the comment due date. Comments are directed to Policy Management Unit.

The proposed effective date is 9-1-09.

SUBCHAPTER 41. DATA SERVICES DIVISION

OKDHS:2-41-4 [AMENDED]

OKDHS:2-41-6 [AMENDED]

OKDHS:2-41-13 through OKDHS:2-41-15 [AMENDED]

SUMMARY:

OKDHS:2-41-4 is revised to improve readability.

OKDHS:2-41-6 is revised to reflect changes in the name and structure of Data Services Division (DSD) units.

OKDHS:2-41-13 through OKDHS:2-41-14 are revised to reflect name change of DSD unit.

OKDHS:2-41-15 is revised to reflect security emphasis placed with individual employees in securing electronic devices and information contained on those devices.

SUBCHAPTER 41. DATA SERVICES DIVISION

 

OKDHS:2-41-4. Definitions

Revised 6-15-08 9-1-09

The following words and terms when used in the Part, shall have the following meaning, unless the context clearly indicates otherwise.

"Application" means a software program designed to enable end users to carry out a specific task or function.Word processors, spreadsheets, graphics programs, and data managers are application examples.

"Automated information systems" means computerized processes which collect, store, calculate, and display or report information about business processes.

"Bus"means a subsystem that transfers data between computer components inside a computer or between computers.  In a network, a bus is a transmission path on which signals are dropped off or picked up at every device attached to the line. Only devices addressed by the signals pay attention to them; the others discard the signals.

"Channel Service Unit/Digital Service Unit (CSU/DSU)" means a system that converts electronic computer protocol to digital telephone protocol and vice versa.

"Confidential data" means any piece of data or set of data, the misuse of which violates existing laws or policy, violates client confidentiality or privacy, creates a liability exposure for Oklahoma Department of Human Services (OKDHS), or creates the opportunitity opportunity for fraud or other illegal activities.

"Controller" means a device that acts as the electrical and logical interface between data terminal equipment and a local area network bus.

"DB2 (Database-2)" means the InternationaI Business Machines' Machines (IBM'SIBM) strategic product for general purpose information storage, including database management.It is a reasonably complete implementation of the relational technology.The most strategic component or aspect of DB2 is the interface Structured Query Language (SQL). DB2 is properly viewed as an SQL engine.

"Data base Database architecture" means overall plan and design for OKDHS data structure.

"Data Security" means processes and procedures to ensure data collected and maintained by OKDHS is protected from inadvertent or intentional damage or misuse.

"Hardware" means terminals, printers, personal computers, CSU/DSU, controllers, routers, hubs, servers, and central site equipment.

"Information Management System (IMS)" means an IBM software product providing an environment for data base database and transaction processing and data base database management.

"ITB" means invitation to bid.

"Local Area Network (LAN)" means a hardware and software environment consisting of a central computer, referred to as a server, that has multiple personal computer workstations, referred to as client(s), and allows or supports telecommunications among the clients.

"Network" means a configuration of data processing devices and software connected for information exchange.

"PC" means personal computer.

"Remote access" means a technology that allows the capability to dial-in or dial-out of a computing capability or network.

"Router" means a device that performs a function similar to a local or remote bridge. Routing, however, occurs at Layer 3 of the Open Systems Interconnection (OSI) reference model.

"Server" means main controller for a PC hooked to a LAN.

"Virus" means an unauthorized data processing application which may alter or destroy computerized data and/or equipment.

"Wide Area Network (WAN)" means telecommunications network composed of multiple LANs connected via server, routers, hubs, and phone lines.

"Workstation" means the individual OKDHS employee's PC and printer.

OKDHS:2-41-6. Data Services Division (DSD) Units

Revised 6-15-08 9-1-09

(a) Enterprise Application Services.Enterprise Application Services (EAS) is responsible for consultation, design, development, and maintenance for most Oklahoma Department of Human Services (OKDHS) data processing applications and systems.EAS and the appropriate divisions are responsible for approving all OKDHS applications that process on the host and client server environment supported by Data Services Division (DSD).When contracting these services, EAS provides management and staff.The services performed are:

(1) research;

(2) consultation;

(3) maintenance;

(4) enhancement; and

(5) new programming.

(b) Enterprise Support Services.Enterprise Support Services (ESS) is comprised of five sections:

(1) Production Services provides technical support for the set up and validation of all production batch and file transfer jobs;

(2) Operations:

(A) oversees all central site equipment such as network, servers, and mainframe;

(B) oversees daily production schedules; and

(C) conducts systems performance analyses to set benchmarks and thresholds for increased performance;

(3) Remote Site Services installs all equipment and software in local offices; and

(4) Problem Determination and Resolution:

(A) works to resolve any highly complex problems that arise needing cross unit analysis; and

(B) is operational 24 hours a day, seven days a week, excluding holidays.; and

(5) Facilities:

(A) maintains an inventory of all OKDHS data processing hardware and software including:

(i) manufacturer;

(ii) model;

(iii) serial number; and

(iv) warranty end date;

(B) submits the inventory to Office of State Finance (OSF) annually per Section 41.5e of Title 62 of the Oklahoma Statutes (62 O.S. 41.5e); and

(C) secures appropriate maintenance contracts each fiscal year for OKDHS data processing hardware and software.

(c) Enterprise Technical Services.Enterprise Technical Services (ETS) is responsible for technical support of information technology (IT) services provided throughout the OKDHS computer network environment.Sections within ETS include:  Database Services, Infrastructure Platform and Software Services, Architecture and Design Services, Security Services, and Telecommunications Services.The specialists in ETS work in conjunction with other DSD units in their efforts to support the OKDHS environment, and team with other DSD units and OKDHS divisions to collaborate in partnership on OKDHS projects and processes.Services provided by ETS include:

(1) generation, security, availability, and recoverability of OKDHS host-based Information Management System (IMS), Oracle, Database 2 (DB2), and Structured Query Language (SQL), server data base database and data stored and maintained in the data bases databases.Host in this context refers to the data base database servers residing in the OKDHS Data Center at 1110 N.E. 12th Oklahoma City, OK;

(2) support, security, availability, and recoverability of the OKDHS network environment that includes servers residing at the OKDHS Data Center, in remote field locations, third party software, and the telecommunications equipment and circuits used for connectivity across the network;

(3) support for decentralized data security activities including the decentralized data security representatives;

(4) design, development, maintenance, and security of the Infonet or Internet applications as related to the access of information or data stored and maintained in any of the host based servers; and

(5) support for OKDHS data sharing committees whose activities relate to data sharing at the intra-agency, interagency, interstate, and non-OKDHS levels.;

(6) develop and ensure technology implementation plans and designs support the OKDHS enterprise architecture;

(7) develop and document DSD processes and standards in collaboration with other DSD units and sections;

(8) review and evaluate each technology solution and new data processing technology supported by DSD to ensure compliance with OKDHS DSD enterprise strategies;

(9) approve all OKDHS requisitions for all non-standard electronic data processing hardware and software to ensure that the acquisition is compatible with the current data processing environment and consistent with future planning and standards; and

(10) establish technology hardware and software standards for OKDHS.

(d) Customer Relations Services and Support.Customer Relations Services and Support (CRS):

(1) facilitates the delivery of quality solutions and services provided by DSD through information sharing and feedback ensuring technology supports the business of OKDHS and customers;

(2) measures customer service success;

(3) continuously improves communications within OKDHS;

(4) promotes and markets technology solutions;

(5) supports all OKDHS IT budgeting and fiscal operations;

(6) supports traditional business services, such as:

(A) general accounting;

(B) accounts payable;

(C) claims processing;

(D) budgeting;

(E) purchase authorization system maintenance;

(F) requisition and purchase of goods and services;

(G) contract administration;

(H) inventory and asset management;

(I) human resource services; and

(J) training;

(7) completes OKDHS annual Long-Range Electronic Data Processing Plan (Plan) per 62 O.S. 41.5e;

(8) processes any required updates of the Plan during the fiscal year;

(9) submits the Plan to OSF each year as a part of the OKDHS overall budget process per OKDHS:2-41-12; and

(10) maintains an inventory of all OKDHS data processing hardware and software including:

(A) manufacturer;

(B) model;

(C) serial number; and

(D) warranty end date.

(e) Architecture and Design.Architecture and Design (A&D) is composed of four sections:Security, Data, Delivery, and Applications that:

(1) develop technology implementation plans;

(2) collaborate with other DSD units and sections to develop and document DSD processes and standards;

(3) review each technology solution supported by DSD to ensure compliance with OKDHS DSD enterprise strategies;

(4) ensure designs support the OKDHS enterprise architecture;

(5) approve all OKDHS requisitions for all non-standard electronic data processing hardware and software to ensure that the acquisition is compatible with the current data processing environment and consistent with future planning and standards;

(6) review and evaluate new data processing technology; and

(7) establishe technology hardware and software standards for OKDHS.

(fe) Research and Strategy.In collaboration with other units within DSD, Research and Strategy:

(1) performs research in support of the OKDHS DSD Enterprise Architecture;

(2) develops strategies for the implementation of needed products and services to support OKDHS business requirements, such as strategies for:

(A) privacy;

(B) security;

(C) delivery; and

(D) technological solutions;

(3) develops long-term strategic planning and support;

(4) performs risk assessment of recommended technology solutions; and

(5) collaborates with CRS Business Development to establish new marketing and promotional material for DSD.

(gf) Business Quality.Business Quality staff is integrally involved with all areas of DSD to coach and ensure that quality practices are followed as a fundamental part of daily practice.Business Quality:

(1) enforces quality in the products and services offered by OKDHS DSD; and

(2) provides business continuity initiatives for OKDHS by:

(A) implementing and monitoring the primary components of quality which are:

(i) process definition;

(ii) requirements management;

(iii) project tracking;

(iv) change management;

(v) risk management; and

(vi) performance measurements; and

(B) instituting business continuity practices into OKDHS systems; and

(3) establishes new practices that are well planned, thoroughly defined, and measured to ensure ensuring not only compliance, but to continually optimize the continual optimization of processes to improve thereby improving customer service.

(hg) Project Management Office.The Project Management Office (PMO):

(1) delivers professional project management services to OKDHS divisions through the delivery of new and existing information technology projects; and

(2) manages the OKDHS portfolio management process including the communication, facilitation, and management of OKDHS Information Technology Governance Board projects.

OKDHS:2-41-13.Data processing application systems maintenance and development process

Revised 6-15-08 9-1-09

Oklahoma Department of Human Services (OKDHS) data processing application systems maintenance and development projects which utilize Data Services Division (DSD) hardware and software are coordinated and approved by DSD.All DSD data processing support is coordinated through the DSD Customer Relations Services and Support (CRS) coordinator assigned to the requesting office or division.

(1) Project initiation.The office or division requiring data processing support and along with the CRS coordinator define the basic requirements of the project.The user division initiates Form 05PM024W, Data Processing Service Request.DSD assigns a number unique to Form 05PM024W and establishes the appropriate cost center code for cost allocation of the resources utilized by the project.

(2) Requirements.The CRS coordinator works with the requesting division to establish detailed requirements for the service requested.The coordinator assists the requesting division in preparing any necessary federal planning documents, funding requests, or both. If it is determined that part or all of the project is to be out-sourced, the coordinator assists the requesting division in preparing an invitation to bid (ITB) and evaluating bid responses.

(3) Project plan.If the project is accomplished utilizing DSD resources, the (CRS) coordinator:

(A) establishes a project plan;

(B) develops any additional sub-projects;

(C) routes the project plan, work request, and project requirements to the appropriate DSD unit for assignment of resources;

(D) negotiates the project priority; and

(E) monitors the project until completion.

OKDHS:2-41-14. Acquisition of data processing equipment, software, and supplies

Revised 6-15-08 9-1-09

(a) Division support.The Data Services Division (DSD) provides support to the other divisions of the Oklahoma Department of Human Services (OKDHS) by assisting in the acquisition, installation, and maintenance of data processing hardware, software, and supplies.Form 23CO102E, Department of Human Services Requisition, The requesting division must complete the wed-based Purchase Requisition Form Entry page located on the OKDHS InfoNet for all data processing purchases is coordinated and approved by DSD to ensure purchases are compatible with the current data processing environment and consistent with the (Plan) and OKDHS standards.

(b) Disagreements. In those instances where the user division disagrees with the DSD recommendation, the issue is referred to the Information Services Division chief information officer (CIO).The CIO tries to resolve the differences by mutual agreement.If the differences are not resolved by the CIO, then the issue is referred to the OKDHS Director for resolution.

(c) Office automation.DSD coordinates development of office automation systems and ensures acquisitions and processes allow for interconnectivity of all equipment.OKDHS moves toward a total integrated system encompassing:

(1) word processing;

(2) electronic mail;

(3) host computer center communication;

(4) personal computing;

(5) communication;

(6) video teleconferencing;

(7) graphics;

(8) data update, storage, and retrieval; and

(9) mobile technology.

(d) Supplies.DSD:

(1) assists other appropriate divisions and units to ensure state contracts are available to cover needs for technology supplies that cannot be purchased through the standard office supply ordering process;

(2) provides input and assistance to the Department of Central Services for establishment of a statewide personal computer hardware contract; and

(3) secures non-encumbered contracts for other Local Area Networks (LANs) and Wide Area Networks (WANs) related hardware and software needs.

(e) Maintenance contracts.DSD establishes OKDHS maintenance contracts for data processing hardware and software including terminals, printers, personal computers, Channel Service Unit (CSU) and Data Service Unit (DSU) controllers, routers, hubs, servers, central site equipment, and all standard purchase software associated with the LAN/WAN LAN or WAN and central site data processing.

(f) Hardware and software inventory.An inventory of all hardware and software installed statewide is maintained by DSD so that maintenance contracts for all OKDHS hardware and software are secured appropriately each year and to meet the annual state agency reporting requirement per OKDHS:2-41-12. All divisions are expected to forward a copy of receiving report documentation to DSD Enterprise Support Services for all hardware and software acquired. Any move, change, addition, or deletion of hardware or software is promptly reported.The inventory information maintained includes:

(1) purchase authorization number;

(2) manufacturer;

(3) model number;

(4) serial number;

(5) description;

(6) cost;

(7) warranty end date;

(8) location installed; and

(9) technical and network information.

(g) Hardware.DSD is responsible for:

(1) approving all purchase or lease of data processing hardware;

(2) having the necessary contracts available to expedite the ordering and provide standardization;

(3) preparing and coordinating bid documents, and reviewing all such documents which are prepared by users;

(4) completing Form 23CO102E the Purchase Requisition Form Entry Page on the OKDHS InfoNet for data processing hardware and sending it to the requesting user division for purchase authorization number, approval, and processing in those instances where non-DSD funds are used.Form 23CO102E This web-based document is submitted through normal processing channels to Support Services Division (SSD) Contracts and Purchasing; and

(5) coordinating delivery of hardware.

(h) Installation. DSD assists in:

(1) Planning.DSD assists in the installation planning and the acquisition of the resources for the installation of electronic data processing hardware and software and the installation of the hardware, software, and cabling necessary to provide LAN or WAN connectivity; and

(2) Site preparation.DSD assists in an advisory capacity to identify the identification of necessary physical requirements for installation of electronic data processing equipment, such as electrical, air conditioning, and space.Users are responsible for all modifications, such as electrical modifications or changes necessary for the installation of their electronic data processing equipment.

(i) Maintenance service calls. All problems with supported LAN or WAN hardware and software are reported through the DSD Call Center.The Call Center logs the problem and places a trouble call with the appropriate DSD unit or contractor to resolve the problem.

(j) Data processing equipment moves.When it becomes necessary to relocate an office or data processing equipment within an office, planning and acquisition of the equipment and resources are initiated a minimum of eight weeks in advance of date of the required move, installation, or both.

(1) The OKDHS division or office requiring the move notifies the DSD Customer Relations Services and Support (CRS) assigned coordinator of the proposed move.The Human Service Center human services center (HSC) routes a move request to the area director and Field Operations Division (FOD) for approval.FOD coordinates the HSC move with DSD and any other affected divisions.This notification includes:

(A) the physical locations the equipment is being moved from and to;

(B) the equipment identification such as type of equipment, serial numbers, bar codes, and finding location of the equipment;

(C) contact person name and phone number; and

(D) network connectivity such as KIDS, and Human Resources Information System (HRIS).

(2) Acquisition of additional equipment or connectivity resources may be required for the items listed in (A) - (F).:

(A) Electrical electrical capacity. Electrical capacity is reviewed to determine if additional capacity is required.;

(B) Cabling cabling. The relocating office must arrange the cabling with the wiring contractor, currently the OKDHS Support Services Division (SSD) Facilities Management Services Construction Unit.At least one month's month notification is normally required by the contractor prior to the installation date.The DSD CRRM CRS assigned coordinator is available to assist with planning.;

(C) Network network devices such as routers, hubs, CSU and DSUs are ordered at least eight weeks prior to the desired installation date by the relocating office with the assistance of DSD.;

(D) Data data lines.At least four weeks prior to the desired installation date, DSD arranges for the appropriate phone company to install the necessary data lines.;

(E) Work work stations.Work stations are ordered at least eight weeks prior to the desired installation date by the relocating office with the assistance of DSD.; and

(F) Printers printers.Printers are ordered at least eight weeks prior to the desired installation date by the relocating office with the assistance of DSD.

(3) The relocating office is responsible for arranging for the packing, unpacking, transportation, and installation of all new and existing equipment.

(4) The relocating office must notify SSD Departmental Services Unit Asset Management and Accounting of the bar codes and serial numbers of all equipment which is acquired, moved, or both.

(k) Software. Responsibilities of DSD regarding software purchases include:

(1) reviewing and recommending software purchases, leases, or both;

(2) approving all computer software acquisitions prior to purchase;

(3) preparing Form 23CO102E the web-based document, Purchase Requisition Form Entry Page, to order the software and transmitting the paperwork to the respective division for purchase authorization number, approval, and processing in those instances where non-DSD funds are used;

(4) providing recommendations for training and consulting support on a standard set of software;

(5) providing recommendations for methods of obtaining installation support of all software;

(6) providing maintenance contracts for all supported software, when deemed necessary. DSD is not responsible for maintenance of programs developed and written by users, although it is available to provide technical support as feasible; and

(7) tracking all software licenses ensuring compliance with vendor copyright laws and licensing requirements.

OKDHS:2-41-15. Data security

Revised 6-15-08 9-1-09

(a) General policy. All data collected and maintained by Oklahoma Department of Human Services (OKDHS) is owned by and becomes the responsibility of OKDHS.The objective of data security is to ensure the data collected and maintained by OKDHS is protected from inadvertent or intentional damage or misuse.Data is accessible, subject to legal restrictions and the appropriate approval processes as outlined in this regulation, to all entities, both governmental and non-governmental, as needed to accomplish OKDHS objectives.There is no expressed or implied expectation of privacy for users of any OKDHS computer network, computer equipment, or other computer resources.All actions or keystrokes of such users may be monitored at any time.

(1) Data security is the responsibility of all individuals who interact in any way with OKDHS computer systems, computer resources, networks, or data. These individuals have the basic responsibility to protect data and conserve resources they use, or come in contact with, in the course of performing their assigned duties, and they are responsible for utilizing and implementing practices that support and comply with OKDHS data security guidelines.

(2) Data ServicesDivision (DSD) Enterprise Technical Services (ETS) Security Services Section, in conjunction with the OKDHS Information Security Officer Office (ISO), is responsible for drafting, obtaining OKDHS management's approval, disseminating, and updating OKDHS data security guidelines.

(3) DSD, in conjunction with the OKDHS ISO, has lead responsibility for data security as it relates to data in machine readable form.The ETS Security Services Section assists with monitoring data security practices and interfacing with Electronic Data Processing (EDP) auditors.

(b) Delegation of data ownership. For the purposes of interpreting confidentiality restrictions imposed by law, establishing data classification, and approving access to data, ownership of data is delegated by OKDHS to the OKDHS division director, whose division collects and maintains the data.

(c) Classification.

(1) All data is classified as either confidential or non-confidential data.

(A) Confidential data is any piece of data or set of data, the misuse of which violates existing laws or policy, violates client confidentiality or privacy, creates a liability exposure for OKDHS, or creates the opportunities for fraud or other illegal activity.

(B) Non-confidential data is any piece of data or set of data which is not confidential.

(2) Guidelines for classification are listed in (A) - (C) of this paragraph.

(A) A data set is classified according to the most sensitive detail it includes.

(B) Information recorded in several formats of media, for example source document, electronic record, or report has the same classification regardless of format or media.

(C) OKDHS complies with Oklahoma's Open Records Act. Certain designated persons who are authorized to release records may request the normal classification category be waived, subject to approval by the owner of the data.

(d) Assignment of responsibilities.Data security administration consists of three primary entities which are in turn supported by several functional area entities.The three primary entities are the data owner, the decentralized security representative (DSR), and ETS Security Services.The three primary entities are the owner(s) of the various collections of data, the OKDHS ETS Security Services manager, who is responsible for DSD ETS Security Services Section, and a network of decentralized data security representatives.The specific responsibilities of each entity are listed in (1) - (3) of this subsection.Data processed by the computerized systems must have an identified owner, such as division director, area director, county director, or unit administrator, and the ownership assignment must be documented with ETS Security Services.

(1) Responsibilities of the owner are described in (A) - (B).The data owner may, at his or her discretion, delegate data security administration responsibilities to a decentralized security representative (DSR).The delegation of a DSR must be in writing and submitted to ETS Security Services using Form 055C002E, Decentralized Access Control Security Agreement.The data owner or his or her delegated DSR is responsible for:

(A) The owner of a collection of data is the OKDHS division director responsible for the collection and maintenance of that data.Shared collection and maintenance of data implies shared ownership. ensuring data is collected and stored in a manner that meets all federal and state laws and OKDHS policy;

(B) Data processed by the computerized systems must have an identified owner, division, director, and the assignment must be documented.The division director may delegate ownership responsibilities to another individual.The owner of data has the authority and responsibility to:

(i) keep data security administration advised of the delegation of ownership responsibilities;

(ii)(B) classify classifying data according to legal and OKDHS policy restrictions per (C) of this Section;

(iii)(C) determine determining and authorize authorizing access and utilization criteria based on the classification; and

(iv)(D) specify specifying and communicate communicating access and utilization criteria to the ETS Security Services manager.

(2) Responsibilities of the The ETS Security Services manager are is responsible for: described in (A) - (B).

(A) The ETS Security Services manager is responsible for processing and storage of the information used to provide data security for computerized data and resources.

(A) processing and filing all requests for access including approvals and denials;

(B) The ETS Security Services manager has the responsibility to administer administering controls as specified by the owner.These responsibilities include:

(i) administering access controls to data and resources;

(ii) providing procedural safeguards;

(iii) providing a method of assigning unique logon identification (ID) numbers and encrypted passwords to ensure user accountability;

(iv) furnishing reports of access violations as required;

(v) assisting the ISO in providing security awareness education to owners and users;

(vi) maintaining information concerning which users have access to what data and resources; and

(vii) alleviating disagreements between users and owners concerning access.

(3) The responsibilities of the decentralized security representative DSR are described in (A) - (B) is appointed by the data owner and coordinates security activities with the ETS Security Services manager.The DSR is responsible for:

(A) Decentralized security representatives are named by the owner and coordinate security activities with the ETS Security Services manager.Each division director appoints, as additional duty, a decentralized security representative. The DSD ETS Security Services manager is advised by memo of the appointment and each time a new representative is appointed.

(B) Decentralized security representatives are typically responsible for:

(i) (A) assisting the ETS Security Services manager within the guidelines of OKDHS policy;

(ii) (B) assisting in development of security designs for user requirements which fall within his or her scope;

(iii) (C) testing and exercising the security controls which fall within his or her scope;

(iv) (D) documenting security controls within his or her scope;

(v)(E)administering access controls to data and resources owned by his or her division;

(vi)(F) providing procedural safeguards;

(vii)(G) providing a method of assigning supporting the assignment of unique logon IDs and encrypted passwords to ensure user accountability;

(viii)(H)reporting violations, abuse of logon IDs, and potential breaches in security to appropriate authorities and providing follow-up activity if needed;

(ix)(I)setting up establishing new users and terminating users as appropriate, including notifying DSD Security Services of new, moved, or terminated employees in the division if those employees have or need IDs established in the DSD environment;

(x) re-setting user passwords, as needed;

(xi)(J)complying with all security controls established by the owner of the data and DSD ETS Security Services Manager manager;

(xii)(K)training the users of the Local Area Network (LAN) on security control established for the LAN; and

(xiii)(L)interfacing with and providing information to auditors.

(e) Functional responsibilities.

(1) ETS Security Services Section is the organizational unit within DSD responsible for maintaining the security of OKDHS computerized data and ensuring a valid and secure network environment within the guidelines of OKDHS policy.The ETS Security Services manager is a member of this organizational unit and is in charge of the Data Security Services Section.

(2) The ETS Infrastructure Platform and Software Section maintains the current hardware, operating system(s) and third party software configuration, and administration.

(3) The Telecommunications Services Section maintains the LAN and Wide Area Network (WAN) for OKDHS.

(4) The Database Services Section maintains the all database repositories in use at OKDHS.

(5) The Production Services Section of Enterprise Support Services (ESS) is responsible for the scheduled production processing, job set up, job check out, and output distribution.Production services activities performed by other units within OKDHS are also covered under this standard.Production processing is handled in a secure manner.Production Services is responsible for:

(A) accessing data and resources through the production facilities as developed by the Enterprise Technical Services ETS Unit and Enterprise Application Services (EAS) Unit area; and

(B) maintaining production libraries.

(6) The Operations section Section of ESS is responsible for operation of the computer equipment in the Data Center.The Operations Section is responsible for accessing data and resources through the facilities as developed by the Enterprise Technical Services unit ETS Unit.

(7) Enterprise Application Services EAS develops and maintains OKDHS applications, plans for and designs efficient and cost effective data processing systems, and advises on design techniques and practices for OKDHS.Enterprise Application Services EAS is responsible for:

(A) ensuring security requirements are addressed in the design and development process;

(B) designing the security requirements for the applications according to the established standards and working with the Security Service Manager ETS security architect and ETS Security Services manager to implement these requirements; and

(C) determining if modifications to existing systems will have an impact on security, and if so, notifying the Security Service Manager ETS Security Services manager.

(8) Customer Relationship Management (CRM) Relations and Support (CRS) is responsible for coordination and communication with user divisions and other agencies.CRM CRS serves as a liaison between the OKDHS user community and DSD Enterprise Technical Services ETS.The Enterprise Technical Services Unit, Telecommunications Services Section is responsible for the OKDHS networks and for maintaining network security, in conjunction with the ETS Security Services Section.

(9) The Telecommunications Services Section is responsible for all OKDHS networks and WANs and supporting network security, in conjunction with the ETS Security Services Section.

(910) Users include employees of OKDHS, approved vendors, contractors, and other approved individuals who operate, use, or interface in any way with the OKDHS computer systems, computer resources, or computerized data.The users are responsible for:

(A) complying with all security controls established by appropriate authority the owner and data security;

(B) using the data only for the accomplishment of official duties in the manner approved by the owner;

(C) keeping logon IDs and passwords used to access data and resources confidential including not sharing passwords; and

(D) notifying the Security Service Manager ETS Security Services manager of abuse or sharing of logon ID numbers, passwords, or both.

(11) Project Management Office (PMO):

(A) focuses on project managers leading technology teams in the development and implementation of business applications as directed by the Information Technology (IT)Governance Board;

(B) assists the organization in learning to work in an environment where resources and team members are assigned to work on projects that involve multiple units and

(C) is responsible for:

(i) the portfolio management of all IT projects;

(Aii) ensuring security requirements are identified and incorporated in all OKDHS projects; and

(iii) ensuring those security requirements are according to established OKDHS policy and standards by working with the ETS security architect and Security Services manager to implement these requirements.

(f) Remote Access.

(1) In OKDHS computing environment, the remote access capability is prohibited unless expressly approved in writing by the division director or DSR responsible authority.

(A) Responsible authority is the entity responsible for a computing capability or resource, such as mainframe, LAN server, router based network.This is a division administrator, division director, or designee.

(B) Reviewing authority is Data Services Division Enterprise Technical Services Unit.This unit drafts proposed standards and policy, establishes data security guidelines, approves remote access implementation approaches, and performs compliance reviews.

(2) Remote access control seeks to ensure unauthorized access to OKDHS data or network capability is not achieved.Approved users of the remote access capability are able to perform approved functions from non-network locations.The remote access capability must have access to or from only one controlled entry point at a server level or higher, not at a user's personal computer (PC) or workstation; thus, a modem or compatible device cannot be used in conjunction with a user's workstation or PC which is connected to OKDHS network.

(3) Responsible authorities' approach to implementing remote access capability must be documented in writing and submitted for review and approval by the reviewing authority.Any changes to the approaches are reviewed and approved.These implementation approaches must support the objectives outlined in (1) - (3) of this paragraph.

(4) Use of wireless remote access devices are only used in conjunction with encryption to and from the workstation dialing up.

(g) Virus protection.All workstations and servers connected to the OKDHS network have terminate and stay resident (TSR) anti-virus software installed on them.In this environment, virus checking occurs when new media is introduced into the workstation environment.The software automatically eradicates known viruses. Stand alone work stations, work stations not connected to the OKDHS network, may or may not have this anti-virus software installed.Recommendations for virus control are listed in (1) through (3) of this subsection.

(1) Employees do not introduce machine-readable media, such as diskettes, files, and bulletin board downloads into their computing environment at work unless these items are directly related to their work and are scanned for viruses prior to use.

(2) No work related media created by, or received from, sources outside the immediate computing environment are introduced into the workstation environment until it has first been scanned for computer viruses using DSD approved anti-virus software.In a TSR protected environment, this scanning is done automatically.Any media which is taken from the immediate work environment, for example to a class or home, must be scanned before it is reintroduced to the workstation environment.If an employee suspects that non-approved staff may be using the employee's workstation, the employee contacts the DSD Security Unit Services Section or help desk for assistance on password protecting or locking the workstation when the employee leaves the area for an extended period of time.

(3) If an employee thinks that a workstation is infected with a virus, the DSD Call Center Help Desk is notified of the problem.

(h) LAN security.DSD Security Services Section assists divisions with security issues and requirements on for LANs.The person administratively responsible for the LAN is required to authorize a decentralized data security representative.This person is responsible for interfacing with DSD and communicating the requirements for access to data that is owned by OKDHS or other agencies.Any LAN connected through the communications network to any other LAN or mainframe in OKDHS has stringent controls placed upon it.These controls are for the intent of deterring any unauthorized access to OKDHS information. DSD data security administration ETS Security Services Unit provides advice and consultation to the division establishing a LAN environment regarding:

(1) risk analysis;

(2) security policy;

(3) disaster recovery;

(4) information security;

(5) training of users;

(6) physical security;

(7) emergency preparedness; and

(8) external audit and review.

(i) Network security.Except for virtual private networking (VPN) connections as described in (k) of this Section, All networks that have accessibility to OKDHS data are subject to compliance with OKDHS data security guidelines documented in these regulations.Compliance with this provision constitutes a 'trusted relationship' among the respective networks.Under this 'trusted relationship,' the repetitious checking of user ID and passwords to re-authenticate a user's authority and access capabilities are not required.The objective of network security is to ensure the data collected and maintained by OKDHS and OKDHS computing resources are protected from inadvertent or intentional damage or misuse.DSD has lead responsibility for network security for OKDHS.DSD utilizes various methods for ensuring the OKDHS network is secure from unauthorized access.Methods for ensuring the OKDHS network is secure from unauthorized access include, but are not limited to:

(1) encryption of all OKDHS data that travel on 'One-Net' or the Internet unless approval to the contrary is granted by the owner of the data and DSD data security administration; travels over the Internet;

(2) password protection of any routers that have remote access capabilities into the OKDHS network;

(3) a front-end system that provides for definition of valid users for dial-up activity to the OKDHS host computer system; and

(4) a single Internet access point to and from the OKDHS network which is protected by an Application Layer Internet Gateway (ALIG) capability firewall.

(5) a prohibition of personal equipment connected to any portion of the LAN or WAN.This opens OKDHS to civil liabilities and threatens the safety and security of all network resources.

(j) Outgoing Internet usage.Access to the Internet from the OKDHS network is through a single access point.This access point is an ALIG firewall.This firewall is managed by the DSD Enterprise Technical Services Unit.Restrictions that apply to the use of the Internet are listed in (1) - (7) of this subsection.

(1) Only authenticated users, with an active OKDHS user ID and password, are allowed access out through the OKDHS firewall.

(2) User authentication requires a user ID and password.

(2) Certain Internet sites and capabilities are blocked, made unavailable, and usage is monitored.There is no expectation of privacy when accessing the Internet.A record of all sites a user accesses is logged and archived.

(3) Internet usage activities which are not job related are:

(A) kept to a minimum;

(B) not done during an employee's work time; and

(C) limited to Internet activities that do not violate OKDHS:2-1-7(g)(I)(4) regarding conduct unbecoming a public employee.

(4) Certain Internet sites and capabilities are blocked, made unavailable, and usage may be monitored. There is no expectation of privacy when accessing the Internet.A record of all sites which a user accesses is logged and archived.

(53) Aside from scheduled maintenance activities and unscheduled problem resolution activities, access to the Internet is available 24 hours per day, every day at all times.

(64) Any workstation on OKDHS network which is used to access the Internet must have OKDHS standard anti-virus software running on it.

(75) Encryption must be used when transmitting confidential OKDHS data over the Internet.Any plans to transmit confidential data must be discussed worked through ETS Security Services with, and approved by the OKDHS Information Security Officer, the data owner(s), and the ETS Security Services Section.

(k) Incoming Internet usage.Processes and controls pertaining to incoming Internet usage requests are established by ETS Security Services on a case by case basis depending on the specific business need and security requirements with the exception of VPN connections.VPNs, which create encrypted tunnels, are allowed to link users at both trusted and untrusted sites and networks.

(l) Mobile devices.A mobile device is any small computing device which includes, but is not limited to, laptop and tablet computers, personal digital assistants (PDA), and smart-phones.A mobile device is convenient, allowing the user to work from almost any location.The restriction of no personal equipment on the OKDHS network extends to mobile devices.Users in possession of an OKDHS mobile device must:

(A) protect the mobile device from theft and/or unauthorized use.The device may contain sensitive and/or privileged information on both employees and OKDHS clients;

(B) ensure that the device remains encrypted in accordance with OKDHS policy and procedures;

(C) control and protect the device at all times.

(i) A mobile device must not be left unprotected in the passenger compartment of an automobile.If the user has no other option, it is stored it in the locked trunk.

(ii) When in public, the user keeps the device off the floor and in the user's possession at all times.If it must be put down, the user places the device between his or her feet or at least against his or her leg so the user is aware of it;

(D) not store client or employee identifiable and personal data on the mobile device.If a user must save data because of a client visit or other official duty, the data must be removed or downloaded to the appropriate location, business application or user's U drive, as soon as possible.Data, both business and personal, is not secure when it remains stored on the hard drive of a mobile device;

(E) keep the mobile devise in the proper bag or carrying case and inthe user's possession at all times when traveling.

(i) Mobile devices cannot be checked baggage for air or ground travel.

(ii) When in transit or at airports, users must:

(I) pay special attention to the care and upkeep of the mobile device;

(II) keep aware of the device at all times, especially while going through security;

(III) hold the device until the person in front has cleared the metal detector; and

(IV) keep the device in sight when it emerges on the other side of the screener.If possible, request it be hand-checked.

(iii) When in hotels, store the mobile device safely, such as in a drawer, closet, suitcase, or room safe; and

(F) when a mobile device is lost or stolen, report the loss or theft immediately to:

(i) local authorities;

(ii) his or her immediate supervisor; and

(iii) OKDHS Information Security Office.

(m) E-mail usage.The purpose of this subsection is to identify the circumstances under which a user may use the OKDHS electronic mail (e-mail) system, define what OKDHS considers acceptable use and conduct in utilizing e-mail, provide clear communication of OKDHS expectations with respect to what is and what is not acceptable use, and minimize the risk of offensive or inappropriate e-mail.

(A) The OKDHS e-mail system is the property of the state of Oklahoma.Users are authorized to use e-mail consistent with its intended purpose.Because OKDHS users are to devote full time to their assigned duties, personal use of e-mail is limited.Excessive use of e-mail for personal purposes is prohibited.

(B) Solicitation of any type, via e-mail, by a user is prohibited.E-mail must not be used to convey information about commercial ventures, or religious or political causes.

(C) Users must not utilize e-mail to send messages that serve to:

(i) contribute to an intimidating or offensive workplace; or

(ii) threaten, make derogatory statements, or otherwise discuss others' race, national origin, sexual orientation, age, disability, religious or political beliefs, gossip, or otherwise undermine harmonious business relationships.

(D) The author loses control of an email's duplication and distribution by others once the e-mail has been sent.

(E) All messages sent via e-mail are the exclusive property of OKDHS.Messages are monitored, archived, and can be retrieved to be used in court proceedings, disciplinary proceedings, or any other legitimate OKDHS business and may be subject to disclosure under the Open Records Act.

(F) Users have no reasonable expectation of privacy regarding e-mail messages.OKDHS will, with or without prior notice, monitor a user's e-mail.All e-mail is automatically stored on the OKDHS network system.Deleted messages may be restored and read by OKDHS for any reason.

(G) The appropriate division director or DSR must contact ETS Security Services to review a user's e-mail messages.

(H) Users must not utilize OKDHS e-mail to send non-work related e-mails, known as SPAM.

(I) No e-mail or other electronic communications may be sent which attempt to hide the identity of the sender, or represent the sender as someone else or from another company.

(J) It is strictly prohibited to send unsolicited e-mail messages or chain e-mails.

Back to Top