1. 5/18/2006 Department of Technology Services Security Architecture

2. Requirements  All non-essential services (not required for application functionality and operational monitoring) must be turned off.  All servers must have an unrestricted connectivity from operational monitoring and security devices.  All operating system level access must use an encrypted protocol.  Test/Development servers must be separate from production server.

3. Requirements (cont.)  All servers must have a clean vulnerability scan report or vulnerability mitigation prior to being placed into production.  OS and Applications must have the capability to do password security enforcement.  It is recommended that applications be segmented into an n-tier model separating at a minimum the Presentation, Application/Business Logic and Database layers.

4. Requirements (cont.)  All systems shall allow for periodic system security reviews that provide assurance that management, operations, personnel, and technical controls are functioning effectively and providing adequate levels of protection. The reviews may include technical tools and security procedures such as virus scanners, vulnerability assessment products and penetration testing.

5. Data Classification  Critical: IT Infrastructure devices (routers, DNS servers, etc.)  Confidential: Confidential, sensitive or personal data as designated by the customer. As custodians this is the default classification unless clarified by the customer.  Private: Data essential to the on-going operation of the organization and its subsidiaries.  Restricted: Data that is intended for internal use within an organization.  Public: Public records data.

6. Device Network Location Based on Data Classification  Critical: Server must reside behind a firewall with IP and port specific access controls.  Confidential: Must reside on the “inside network” or “tiered firewall”.  Private: Must reside on the “inside network” or “tiered firewall”.  Restricted: Must reside on the “inside network” or “tiered firewall”.  Public: Must reside in the “DMZ network”.

7. Security Questions  The following ten questions are used as a guideline by DTS Security Management Division when evaluating new projects.  A “Yes” response to any question would result in further examination or explanation of the topic area because of the potential increased risk.

8. Security Questions 1. Is the project requesting exemption from or modification to established information security policies or standards? 2. Does this project cut across multiple lines of business in a new or unique manner for which no approved security requirements, templates or design models exist? 3. Does this project have privacy implications because of the use of customer or internal personal information?

9. Security Questions (cont.) 4. Does this project include applications and information with regulatory compliance significance (or other contractual conditions that must be formally complied with) in a new or unique manner for which no approved security requirements, templates or design models exist? 5. Is the project being run on an emergency or expedited delivery schedule?

10. Security Questions (cont.) 6. Is there new technology involved, never before used by the agency? 7. Does this project include third-party service providers conducting business on behalf of the organization, trading partners, clearinghouses, and so on? 8. Will this project involve a major change to the network infrastructure?

11. Security Questions (cont.) 9. Will there be a need to modify established identity and access management processes and infrastructure, for example, new roles, new approvals, and so on? 10. Will this project have an impact on current business continuity, disaster recovery processes and/or infrastructure?