INFORMATION TECHNOLOGY SERVICES DIVISION

Internet/Intranet Security

Number: ENT-SEC-012

Established for: State of Montana Information Technology Enterprise

Janet Kelly, Director
Department of Administration
Date: 06/27/05

Jeff Brandt, Acting CIO
Department of Administration
06/27/05

Policy - Requirements

SCOPE

This policy applies to all computers that reside on the state’s network, including all state agencies as well as local government entities. This policy does not apply to colleges and universities, or the Commissioner of Higher Education Office.

PURPOSE

The Department of Administration ’ s Information Technology Services Division (ITSD) is responsible for providing security for the Montana state network. This policy identifies the Internet/Intranet security responsibilities for both ITSD and entities that maintain computers on thestate’s network.

REQUIREMENTS

The State of Montana network is a network shared by state agencies and local government entities that incorporates security measures to protect the State of Montana’s information technology resources from outside entities. There are no expectations of privacy when using state computing resources unless explicitly indicated by law.

ITSD INTERNET/INTRANET SECURITY RESPONSIBILITIES

ITSD will provide the following:

1. A separate area on the network referred to as the DMZ (Demilitarized Zone) for Internet Web and FTP Servers. All Internet web and ftp servers must reside on this area of the network. ITSD will also provide web and ftp hosting services for agencies that do not have the capabilities of moving servers to this isolated area on the network. ITSD can also house these servers in its secured data center.

2. Access from the trusted side of the state network to the Internet. Though typically unrestricted, some restrictions may be added at the discretion of ITSD if certain protocols or traffic is determined to be a security threat. ITSD will work with the Computer Security Incident Response Team to identify such security threats and determine the appropriate action. Some filters may be applied according to the Internet Filtering policy (ENT-SEC-121)

3. A firewall allowing only approved externally initiated access from the Internet to the trusted side of the state network. All requests for access through the firewall will be submitted to and reviewed by the State Cyber Protection Officer, who will approve or deny the requests. Such decisions may be appealed to the CIO.

4. A firewall between an agency or portion of an agency’s network and the trusted state network will be provided at the agency’s expense if requested. Agency firewalls will be installed and administered by ITSD unless procluded bystatutory requirements.

5. Monitoring of all external connections to the trusted side of the state network. All external dial-up and dedicated connections must use the approved method as designated in policy ENT-SEC-130 Remote Access for Employees and Contractors.

6. Auditing of the state network including the detection and reporting of intrusion attempts performed continuously in an automated fashion. Daily review of the audit logs during the workweek. Agencies will be notified within 24 hours when their portion of the network is involved in any breaches of network security.

7. Management of Domain Name Services (DNS) and Internet Protocol (IP) Addresses. ITSD will assign IP addresses for authorized users of the state network. Agencies will use a private addressing scheme to provide additional security for network devices. All agencies will use the enterprise Domain Name Services (DNS) and Dynamic Host Configuration Protocol (DHCP) services.

8. Management and installation of all routers, switches, firewalls, hubs, access points and any new or future telecommuncations devices that support the State of Montana network.

9. The Office of Cyber Protection will conduct an annual security review of all agencies that have been granted exceptions to this policy.

ITSD may implement additional security measures as needed using software and/or hardware configurations for protecting the state network or ensuring secure communications. These may include encryption or filters restricting certain types of network traffic. All wireless connections to the inside (protected) portion of the network (inside) will be encrypted and authenticated. Unauthorized connections to the state network will not be permitted. Connections creating routing patterns that flood the network with unnecessary traffic are not allowed.

AGENCY INTERNET/INTRANET SECURITY RESPONSIBILITIES

ITSD will take reasonable steps to make the state network as secure as possible, but agencies also have the responsibility for ensuring an adequate level of security for all data within their department.

Agencies will cooperate to make shared sites secure and may incorporate encryption into data transmission between sites on the wide area network (WAN).

Standard security checks (provided by the Office of Cyber Protection) must be made on Web Servers before they are made accessible to the public.

In accordance with the Remote Access Policy (ENT-SEC-130), an agency may allow remote access to its computing resources on a case-by-case basis. Approval for this access must be granted in writing by the appropriate agency management. Access will be granted for the benefit of the State of Montana and not for personal benefit or use. Access to state computer resources by unauthorized remote access users shall be considered a security violation. Remote access users are obligated to abide by all computing policies of the state and the agency.

Security breaches, or suspicion of security breaches, must be reported to the State Cyber Protection Officer.

Background - History on the creation of or changes to this policy

The Department of Administration’s Information Technology Services Division Network Security Officer created this policy. Included are issues addressed in a prior policy entitled “Access of State Computer Systems by Employees, Agents, or Contractors via Asynchronous Communications” which was replaced by this policy. The 2002 changes to the policy were proposed by the State Information Security Section and reviewed with the ITMC for comment prior to adoption.

Recommendations for modifications of this policy were made by the enterprise Security Committee in January 2005. The January 2005 modifications were discussed at two ITMC meetings and at a separate ITSD sponsored meeting on May 10, 2005.

Guidelines - Recommendations, not requirements

There are no guidelines for this policy.

References - Laws, rules, standard operating procedures and applicable policies

• 2-17-512, MCA
• 2-17-534, MCA
• 2-15-114, MCA
• ARM 2.13.101 - 2.13.107