Information is a critical State asset. Information is comparable with other assets in that there is a cost in obtaining it and a value in using it. However, unlike many other assets, the value of reliable and accurate information appreciates over time as opposed to depreciating. Shared information is a powerful tool and loss or misuse can be costly, if not illegal. The intent of this Security Policy is to protect the information assets of the State.
This Security Policy governs all aspects of hardware, software, communications and information. It covers all State Agencies as well as contractors or other entities who may be given permission to log in, view or access State information.
- Information includes any data or knowledge collected, processed, stored, managed, transferred or disseminated by any method.
- The Owner of the information is the State Agency responsible for producing, collecting and maintaining the authenticity, integrity and accuracy of information.
- The Hosting State Agency has physical and operational control of the hardware, software, communications and data bases (files) of the owning Agency. The Hosting Agency can also be an Owner.
The confidentiality of all information created or hosted by a State Agency is the responsibility of that State Agency. Disclosure is governed by legislation, regulatory protections and rules as well as policies and procedures of the owning State Agency. The highest of ethical standards are required to prevent the inappropriate transfer of sensitive or confidential information.
All information content is owned by the State Agency responsible for collecting and maintaining the authenticity, integrity and accuracy of the information. The objective of the owning State Agency is to protect the information from inadvertent or intentional damage, unauthorized disclosure or use according to the owning Agency's defined classification standards and procedural guidelines.
Information access is subject to legal restrictions and to the appropriate approval processes of the owning State Agency. The owning State Agency is responsible for maintaining current and accurate access authorities and communicating these in an agreed upon manner to the security function at the State Agency hosting the information. The hosting State Agency has the responsibility to adhere to procedures and put into effect all authorized changes received from the owning State Agencies in a timely manner.
Information security - The State Agency Director whose Agency collects and maintains (owns) the information is responsible for interpreting confidentiality restrictions imposed by laws and statutes, establishing information classification and approving information access. The hosting State Agency will staff a security function whose responsibility will be operational control and timely implementation of access privileges. This will include access authorization, termination of access privileges, monitoring of usage and audit of incidents. The State Agencies that access the systems have the responsibility to protect the confidentiality of information which they use in the course of their assigned duties.
Information availability is the responsibility of the hosting State Agency. Access to information will be granted as needed to all State Agencies to support their required processes, functions and timelines. Proven backup and recovery procedures for all data elements to cover the possible loss or corruption of system information are the responsibility of the hosting State Agency.
The hosting State Agency is responsible for securing strategic and operational control of its hardware, software and telecommunication facilities. Included in this mandate is the implementation of effective safeguards and firewalls to prevent unauthorized access to system processes and computing / telecommunication operational centers. Recovery plans are mandatory and will be periodically tested to ensure the continued availability of services in the event of loss to any of the facilities.
Development, control and communication of Information Security Policy, Procedures and Guidelines for the State of Oklahoma are the responsibility of the Office of Management and Enterprise Services. This Policy represents the minimum requirements for information security at all State Agencies. Individual agency standards for information security may be more specific than these state-wide requirements but shall in no case be less than the minimum requirements.
The state of Oklahoma and OK.gov take your Internet security very seriously. Our technology and policies are designed to make your online transactions safe, private, and secure. Rigorous policies and procedures are utilized to safeguard your personal information, such as social security numbers, banking information, and personal data.
The following security measures have been taken to ensure the safety of Oklahomans:
Cybertrust Certified - OK.gov has achieved Cybertrust's Enterprise Certification from Cybertrust, the world's leading information security specialist. OK.gov has maintained this certification since June 11, 2007.
Payment Card Industry Data Security Standards (PCI DSS) Compliant - Adherence to performance measurements outlined in the PCI-DSS annual self evaluation, as well as submission to regular scans from Security Metrics to search for network vulnerabilities.
Sarbanes-Oxley Compliant - Adhere to secure change control procedures.
Secure Sensitive Information Submissions - All sensitive information submitted during online transactions are sent via encrypted network protocols.
Secure Internal Networks - All data transferred between databases is done via secure network protocols to ensure that only authorized users can access the network and no one can intercept data.
Data Storage Policies - Unless necessary, OK.gov does not permanently store financial information so it cannot be retrieved or compromised.
Secure Policies and Procedures - Password and network activity audits are performed quarterly.
Physical Location Security - All physical locations where hardware and software are located are physically secured and only accessible by individuals with proper authorization.