Computer Security Policy Overview                                                

 

Information security policy refers to the set of rules and practices an entity uses to manage and protect its information resources. The individual courts have the responsibility to enforce the policies and direct that the Administrative Office, as part of its regular audit process, examine and comment upon the adequacy of the courts’ enforcement methods.

 

In discussions of information security, the term policy has more than one meaning. Policy is senior management’s directives to create an information resources security program, establish its goals, and assign responsibilities. Policy is also used to refer to specific security rules for particular systems or specific managerial decisions such as establishing an organization’s e-mail privacy policy or fax security policy.  This standard will be using the term policy as follows:

·        Program policy is what management uses to create an organization’s security program. It is high-level, comprehensive, and unlikely to need frequent updating.

·        System-specific policy is the body of rules and practices used to protect a particular information system. System-specific policy is limited to the system (or systems) affected and may change with changes in the system, its functionality, or its vulnerabilities.

·        Issue-specific policy addresses issues of current relevance and concern to the court. Issue-specific policy statements are likely to be limited, particular, and rapidly changing. Their promulgation may be triggered by a computer security incident.

Program Policy

The program policy must proceed within the framework of existing laws, regulations, state policies/procedures/standards, and sometimes federal or other organizational requirements. It must also be guided by the court’s mission statement and organizational structure. Program policy development and promulgation is the responsibility of senior management and should take place under the direction of court management or their appointed representative.

System-Specific Policy

Some courts are likely to have multiple sets of system-specific policy relating to security, from the very general (e.g., access control rules about who may have user accounts) to the very specific (e.g., system permissions reflecting segregation of duties among employees involved in handling case information).

Issue-Specific Policy

The court’s body of issue-specific policy statements is likely, by its very nature, to lack a coherent relationship to information security goals. Individual policy statements, however, may be highly pertinent to these goals, such as those governing Internet access by users, installation of unauthorized software or equipment, and the sending or receipt of attachments to e-mail.

Computer Security Policy Standards                         

Minimum Security Option

 

1.      For all courts, a written, high-level program-level policy is required. The policy will be based on the courts risk assessment and include the following components:

·        Purpose statement: The purpose statement explains why the program is being established and its information security goals.

·        Scope: The scope section will state which court resources—hardware, software (operating systems, applications, and communications), data, personnel, facilities, and peripheral equipment (including telecommunications)—are to be covered by the security program.[1]

·        Assignment of responsibilities: The program policy will document responsibility for information security program management to an assigned information security function[2] and detail supporting responsibilities of executives, line managers, owners, custodians, users, and the overall information technology (IT) organization.[3]

·        Compliance: The compliance section will describe how the court will oversee the creation and conduct of the information security program and the person(s) will be responsible for enforcing compliance with system-specific and issue-specific policies. This section will also establish a disciplinary process for dealing with infractions in general terms.[4]

2.      All employees will be required to read and sign the security policy acknowledging that they understand it, and their related responsibilities, prior to obtaining computer access.  The signed policy shall be retained in the employees’ personnel file or by IT. 

3.      The policy will be reviewed annually and updated (if needed) to reflect changes in the environment.

Optimum Security Option

 

In addition to the Minimum Security Option, the following standards apply:

1.      System-specific policy will be adopted for the critical information systems, such as the case management systems and financial systems. The policy shall include:

·        A requirement that access profiles be established based on job duties and be used to grant access permission to information systems. For example, “Access to the court information systems is permitted to employees based on the trust level assigned by the employee’s manager.  The court seeks to balance transparent user access with network security. Trust level is based on the person’s need to access IT resources to perform job tasks.”

·        System permissions reflecting segregation of duties among employees involved in handling critical functions and/or sensitive information.  For example, “The court will ensure adequate controls and separation of duties for tasks that are susceptible to fraudulent or other unauthorized activity.”

1.      Issue-specific policies will be adopted for areas, such as the appropriate use of Internet and e-mail, installation of software, and personal use of computer resources.  The existing JCIT standards for appropriate use of the Internet and e-mail (http://www.courts.state.tx.us/jcit/resolutions/epolicy.asp) shall be used.

2.      The court will prominently display on screen prior to access of the Internet, a banner notice clearly and conspicuously disclosing that the use of the system is subject to the appropriate use policy, that the contents of the use may be viewed and recorded, that the employee’s use of the system constitutes consent to such viewing and recording, and that uses inconsistent with the policy may result in disciplinary action.

3.      All security policies will be discussed in new employee orientation and in on-going annual computer security awareness training.

4.      Executive management shall send a notice to all employees announcing the impending issuance of the security policy, their support for said policy, and the requirement of all employees to abide by its rules/instructions.

5.      The security policies shall be reviewed on an annual basis to ensure that they are up-to-date and reflect the current computer system and court environment.

 

Maximum Security Option

 

In addition to the Optimum Security Option, the following standards apply:

1.      Users will be tested on an on-going basis regarding their knowledge of the computer security policy.  Additional training will be provided based on the results of the testing.

2.      Formal computer security policy compliance assessments will be performed and the results will be communicated to court management.  Corrective action will be taken to address any compliance issues identified.