Rule 36-1-1.11 - General Policy RequirementsA. Each agency must operate in a manner consistent with the maintenance of a shared, trusted environment within state government for the protection of sensitive data and business transactions. Agencies may establish certain autonomous applications, including those hosted by an Applications Service Provider or other third party, outside of the shared, trusted environment, provided the establishment and operation of such applications follows all guidelines as set forth in this security policy and does not jeopardize the enterprise security environment, specifically:1. The security protocols (including means of secure transport, authentication, and authorization) relied upon by others; and2. The integrity, reliability and predictability of the state network infrastructureB. Each agency must establish its secure state business applications within the criteria outlined in the ITS Enterprise Security Policy. This requires that all parties interact with agencies through a common security architecture and authentication process. ITS shall maintain and operate the shared state government network infrastructure necessary to support applications and data within a trusted environment.C. Each agency that operates its applications and networks within the state government network infrastructure must subscribe to the following principles of shared security:1. Agencies shall follow security standards established for selecting appropriate assurance levels for specific application or data access and implement the protections and controls specified by the appropriate assurance levels;2. Agencies shall recognize and support the state's standard means of authenticating external parties needing access to sensitive information and applications;3. Agencies shall follow security standards established for securing servers and data associated with their applications; and4. Agencies shall follow security standards established for creating secure sessions for application access.D. Each agency must address the effect of using the Internet to conduct transactions for state business with other public entities, citizens, and businesses. Plans for Internet-based applications must be prepared and incorporated into the agency's security plan and submitted for review.E. Each agency must review its IT security processes, procedures, and practices at least annually and make appropriate updates after any significant change to its business, computing, or telecommunications environment. Examples of these changes include modifications to physical facility, computer hardware or software, telecommunications hardware or software, telecommunications networks, application systems, organization, or budget. Practices will include appropriate mechanisms for receiving, documenting, and responding to security issues identified internally or by third parties.F. Each agency must develop, implement, and maintain their individual agency IT security policy. Each agency will annually review, and revise (as needed) its security policy. Revisions to agency security policies must incorporate relevant technological advances in the broad areas of IT, changes in agency business requirements, and changes in the agency's IT environment.G. Each agency must develop, implement, and maintain their individual agency IT security plan. Each agency will annually review, revise (as needed), and formally transmit its security plan to ITS. 1. Technological advances and changes in the business requirements will necessitate periodic revisions; therefore, agencies must review and update IT security plans at least annually and following any significant change to its business, computing, or telecommunications environment.2. If an agency purchases IT services from another entity, the agency and the provider must work together to make certain the IT security plan for the provider fits within the agency's plan. If two or more agencies participate with each other in operating an information service facility, then the agencies must provide details within their individual agency security plans regarding these projects and ensure that their plans meet their mutual needs.3. A portion of each agency's plan must promote security awareness by informing employees, associates, business partners, and others using its computers or networks about: security policies and practices, expectations of the users, and data handling procedures.H. Agency heads are responsible for the oversight of their respective agency's IT security and will be required to confirm in writing that the agency is in compliance with this policy. The annual security verification letter must be submitted with the agency's security plan. The verification indicates review and acceptance of agency security processes, procedures, and practices as well as any updates to them since the last approval.I. Each agency must obtain an IT security risk assessment from third-party security consultants at least once every three years. The agency will be required to submit a copy of the Executive Summary from the third party's assessment report to the ITS Information Security Division along with a copy of the agency's remediation plan for addressing issues identified within the assessment. Should critical or high-level risk be identified in the agency's report, the agency may be required to provide additional detailed information from the third party's full assessment report. Please be advised that any reports and/or documents resulting from a security risk assessment are classified as confidential and are not to be made available for public disclosure in accordance with Section 25-61-9 of the Mississippi code annotated. ITS recommends that agencies perform regular security assessments on their network throughout this three-year period, but it is not mandatory that they provide reporting for the additional security assessments.J. Each agency may be subject to an Information Systems (IS) audit conducted by the State Auditor's Office. As part of the standard IS audit process, they will consider the Enterprise Security Policy as they review systems, processes, and procedures. The State Auditor may determine a special audit of an agency's IS processing is warranted, in which case they will proceed under their existing authority. Each agency must maintain documentation showing the results of its review or audit and the plan for correcting significant deficiencies revealed by the review or audit. To the extent that the audit documentation includes valuable formulate, designs, drawings, computer source codes, object codes or research data, or that disclosure of the audit documentation would be contrary to the public interest and would irreparably damage vital government functions, such audit documentation is exempt from public disclosure.K. Each agency must ensure staff is appropriately trained in IT security policy, plans, and procedures. Each agency must make staff aware of the need for IT security and train them to perform the security procedures for which they are responsible. Agencies must participate in appropriate security alert response organizations at the state, regional, and national levels as required by their mission. At minimum, the agency must participate in the state's SecureNet listserve to receive security alert notifications.L. The only permitted exceptions to the IT security policy of the State of Mississippi are those that are approved in writing by ITS for an agency's specific purpose and are only applicable to that agency's operations. Miss. Code Ann. § 25-53-1 to § 25-53-25.