L&I, Office of Information Technology Policy SEC-000
||Security Planning Policy
This policy creates a prescriptive set of processes, procedures, and training, aligned with applicable Governor’s Office of Administration (OA) and the Department of Labor & Industry (L&I) Information Technology (IT) security policies and standards. This policy establishes the minimum requirements for the L&I Office of Information Technology (OIT) to plan IT security, which will help protect information, including Federal Tax Information (FTI), from unauthorized access and improper disclosure in compliance with safeguards and requirements defined by the Internal Revenue Service (IRS) and the Social Security Administration (SSA). This policy is intended to meet the control requirements outlined in IRS Publication 1075, the National Institute of Standards and Technology (NIST) NIST critical controls: PL-1, PL-2, PL-3, PL-4, and PL-6 Per SP 800-53 R4, as well as additional OA policies and controls.
The IT System Security Plan (SSP) at L&I is intended to facilitate the effective implementation of the processes necessary meet IT system security requirements as stipulated by federal and state policies. The SSP ensures the business needs are being met in a secure manner.
An SSP is crucial to the development of a service, system, or application. An SSP shall be in place to address organizational policies, security testing, rules of behavior, contingency plans, architecture and network diagrams, and requirements for security reviews.
The SSP supports the system development life cycle (SDLC) and shall be updated as system events trigger the need for revision in order to accurately reflect the most current state of the system. The SSP provides a summary of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.
At a high level, L&I OIT employs access controls to specify how access to data is managed.
This policy applies to all L&I employees, business partners, contractors, temporary personnel, agents, and vendors, (hereinafter referred to as “L&I Users”); as well as L&I systems that have been designated as Mission Critical Applications (MCA) or contain data classified as sensitive.
L&I OIT shall align with NIST cybersecurity framework v1.1 and shall apply the NIST 800-53 security controls.
OIT shall classify all systems and the data processed and stored by that system in accordance with Federal Information Processing Standard Publication 199 (FIPS 199) per L&I policies: ADM-000, SEC-001, SEC-012, SYM-005 and OA policies ITP-SEC019, ITP-SEC020, ITP-SEC031.
OIT shall perform a risk analysis to determine the level of and complexity of controls required to ensure the confidentiality, integrity, and availability of L&I’s data.
OIT shall select controls from NIST critical controls based on the data owner requirements, e.g. IRS Publication 1075, risk, and business requirements.
L&I shall implement Role Based Access Controls (RBAC) to grant and restrict access to sensitive data.
All system owners (SO) of sensitive systems shall produce an SSP for their system, including systems that use Commercial-Off-The-Shelf (COTS) applications.
All SOs shall establish within the SSP a user’s expected behavior with regard to sensitive information and information system usage, as well as the controls to address user behavior. SOs and agency Chief Information Security Officer (CISO) shall modify the contents of the SSP to meet requirements of the data owner and business. OIT shall plan and coordinate security-related activities affecting these information systems.
The CISO shall annually review the SSP, Disaster Recovery (DR), Continuity Of Operations (COOP), and Commonwealth of PA Procurement and Architectural Review (COPPAR) documents with the SO as part of the IT Service Continuity Management and IT Security Management plans.
COTS application administrators shall produce an SSP for their product and ensure it integrates with the application SSP and agency SSP.
OIT shall review architectural changes, version changes, and enhancements to the system as part of change and release management processes for impact to the SSP. Per APP-000 System Development Life Cycle policy.
OIT shall implement a risk management methodology and incorporate it with L&I’s IT Infrastructure Library (ITIL) processes per ADM-002.
OIT shall make plans for appropriate action when loss, damage, or breach of confidentiality per SEC-008. OIT shall update the SSP as part of the IT Service Continuity Management process.
OIT shall assess security alerts and threats and apply compensating controls based on the risk management methodology.
Violations of the department’s policies may result in disciplinary action up to and including termination of employment or contractor sanctions.
- L&I User responsibilities:
- Comply with all L&I policies, management directives, and laws; and
- Report any violations of policies promptly to the L&I Chief Information Security Officer at LI, OIT-DLICISO.
- L&I management responsibilities:
- Comply with all L&I policies and ensure L&I users comply with the policies; and
- Adhere to this policy and any published procedures regarding security planning.
7. Version Control
||Format and Content Revision