editing disabled

wikiheader.jpg
The State of Utah must maintain compliance with legal requirements for confidentiality and integrity while providing for public access to appropriate information. The State's technological resources need to be available to users across the enterprise regardless of location or platform. The State must implement security and directory services in such a manner that its information infrastructure is protected and accessible. At the same time, functionality must be unimpeded and business services need to be readily available.
  • Identification and Authentication.
  • Authorization and Access Control.
  • Administration
  • Audit
  • Content Filtering
  • Endpoint Security
  • Encryption
  • Intrusion Detection
  • Logging and Alerts
  • Monitoring (Hardware and IDS)
  • Security Zoning
  • Trending
  • VPN Technology
  • Vulnerability Scanning and Testing

greenbullet.gif
Approved
yellowbullet.gif
Pending Review
redbullet.gif
Research Required
Abbreviations: NA: Not applicable or required. TBD: To be determined. OS: Open Source

Summary of Standards

Status
Description
Product/Technology or Standards
State Contract
greenbullet.gif
Authentication and Identification
5000-1400 Identification & Authentication Policy
5000-1400-S1 Identification and Password Standards

N/A
yellowbullet.gif
Authorization and Access Control
5000-1500 Access Control Policy
5000-1500-S1 Access Control Standards

N/A
yellowbullet.gif
Administration
5000-1300 Awareness and Training Policy
5000-1300-S1 Awareness and Training Standards
5000-1250 Computer Incident Reporting Policy
5000-1200 Incident Response Policy
5000-1200 Incident Response Standards
5000-1701 Confidential Information Policy

5000-1707 Malicious Activity Policy
N/A
yellowbullet.gif
Audit
5000-1600 Audit and Accountability Policy
5000-1600 Audit and Accountability Standards

N/A
yellowbullet.gif
Content Filtering
8e6 Professional Edition
5000-1008 Web Content Filtering
5000-1008-S1 Web Content Filtering Standard

8e6 TBD
N/A
N/A
greenbullet.gif
Endpoint Security (ES)
ES: Desktop
ES: Desktop
ES: Servers
ES: Servers
ES: Servers
Antivirus, Antispyware andPersonal Firewalls Standard
Endpoint Protection 11.0 or greater
Network Access Control 11.0 or greater
Endpoint Protection 11.0 or greater
Antivirus 10.0 for servers or greater
Network Access Control 11.0 or greater
-
Norton TBD
greenbullet.gif
Encryption (EC)
EC: Desktops & Laptops
EC: Desktops & Laptops
EC: Desktops & Laptops
EC: Servers
EC: Servers
Laptop and EMail Encryption
PGP Desktop 9.9.x or greater
PGP Whole Disk encryption 9.9.x or greater
PGP NetShare 9.9.x or greater
PGP Universal server 2.9.x or greater
PGP Email Gateway 2.9.x or greater
-
PGP TBD
yellowbullet.gif
Intrusion Detection (IDS)
IDS: Detection (OS)
IDS: Snort Rule Management (OS)
IDS: Snort Reporting (OS)
-
Snort
Oinkmaster
Barnyard
-
N/A
N/A
N/A
yellowbullet.gif
Logging & Alerts
Cisco MARS
TBD
yellowbullet.gif
Monitoring Tools (MT)
MT: Hardware (OS)
MT: IDS
-
Nagios (Monitors IDS servers and sensors)
Activeworx Security Console (Manages IDS alerts, Syslog, SNMP traps, etc.)
-
N/A
TBD
redbullet.gif
Security Zoning
TBD
TBD
yellowbullet.gif
Trending (TG)
TG: Reports and Statistics
TG: Sensor Monitoring/Trending (OS)
-
Activeworx Security Console (Provides scheduled and adhoc reports and statistics)
BASE
-
TBD
N/A
greenbullet.gif
Virtual Private Networks (VPN)
Cisco VPN
TBD
yellowbullet.gif
Vulnerability Scanning and Testing (VST)
VST: (OS)
VST: (OS)
VST: (OS)
-
Nessus 3.x or greater
Metasploit
NeXpose
-
N/A
N/A
TBD






State Policy, Standards and Related References:
5000-0001 Removal of Data from Decommissioned Storage Devices
5000-1008 Web Content Filtering
5000-1008-S1 Web Content Filtering Standard
5000-1100 Media Protection Policy
5000-1100-S1 Media Protection Standards
5000-1100-S4 Encryption Standards
5000-1100-S5 Portable Computing Devices Security Standard
5000-1160 Removal of Data
5000-1200 Incident Response Policy
5000-1200 Incident Response Standards
5000-1250 Computer Incident Reporting Policy

5000-1300 Awareness and Training Policy
5000-1300-S1 Awareness and Training Standards
5000-1400 Identification & Authentication Policy
5000-1400-S1 Identification and Password Standards
5000-1500 Access Control Policy
5000-1500-S1 Access Control Standards
5000-1508 Warning Banner Policy
5000-1600 Audit and Accountability Policy
5000-1600 Audit and Accountability Standards
5000-1700 Information Protection

5000-1700 Information Protection Policy
5000-1700-S1 System & Communications Protection Standards
5000-1700-S7 DTS Payment Card (PCI) Security Standard
5000-1701 Confidential Information Policy

5000-1707 Malicious Activity Policy
5000-1760 Firewall Management Policy
5110-0002 Information Asset Security Classification Policy
Security Controls Framework 20090112