IT Policies
Statewide IT Policies
Statewide IT policies are set by the Information Technology Executive Council.
OITS Policies
OITS Policy 5230 - IP Phone Background Images
Effective Date 12/31/2012
Review Date 07/2019
1.0 SUBJECT: IP Phone Background Images
2.0 DISTRIBUTION: All branches of State Government
3.0 PURPOSE: To establish and define a policy in regard to the availability of background images for IP phones on the State's Cisco phone system.
4.0 BACKGROUND: The Cisco Phone system contains a feature allowing background images, much like on a workstation, to be displayed on the menu screen. This feature allows the phone to be personalized by an organization. At least one agency from each branch of government has requested a customized background image for their branch of government. Maintaining an unlimited number of images will create system management and storage issues, therefore the number of images available on the system will be restricted.
5.0 POLICY: To address the management issue, each branch of government will be allowed to have two customized phone background images. Individual agencies within each branch of government will not be allowed to have custom images specific to the agency. However, each end user in each agency will have the option to choose the appropriate image for their branch of government from the available images on the State's Cisco phone system.
6.0 CONTACT PERSON: Director, OITS Telecommunications 785-296-4999.
OITS Policy 9206 - OITS Central Office Visitor Policy
Effective Date 07/09/2014
Review Date 07/2019
1.0 SUBJECT: OITS Central Office Visitor Policy
2.0 PURPOSE: The purpose of this document is to provide guidance for Visitors to the Office of Information Technology Services Central Office (OITS CO) premises, as well as for employees sponsoring visitors to OITS CO.
3.0 BACKGROUND: The State of Kansas requires the use of access controls to restrict physical access to facilities that house information systems. Without physical access controls, the potential exists that information systems could be illegitimately accessed and the confidentiality, integrity and availability of the information they house compromised.
4.0 PROCEDURE:
4.1 Check-In
4.1.1 All visitors must arrive in the main reception area. All visitors must check in and affix a visitor badge to their person at a location above their waist and easily visible.
4.1.2 All visitors must present government-issue photo identification to their employee sponsor.
4.1.3 All visitors will remain at the check-in station until their employee sponsor arrives.
4.1.4 Visitors may not sponsor other visitors.
4.1.5 Pets are not permitted; however, service animals such as Seeing Eye Dogs are permitted.
4.1.6 Visitor logs shall also be maintained in each data center.
4.1.7 Visitor access shall be recorded in a log that includes, at a minimum;
4.1.7.1 Name and organization of the visitor
4.1.7.2 Name and organization of the person and/or system visited
4.1.7.3 Purpose of the visit
4.1.7.4 Date and time of arrival and departure
4.1.7.5 The form of identification used for identity verification
4.1.7.6 Visitor’s signature
4.1.7.7 Visitors badge number
4.2 Visitor logs will be reviewed for completeness on at least a monthly basis and maintained for seven years.
4.3 Check-Out:
4.3.1 Visitors will check out at the same station where they arrived.
4.4 Visitor Badges
4.4.1 Visitor badges shall be easily recognizable
4.4.2 Visitor badges must be worn at all times. Employees are instructed to immediately report any visitor not wearing a visitor badge.Visitor badges are solely used for recognition and shall not open any door.
4.5 Photographs
4.5.1 Visitors shall not take photographs unless discussed specifically with sponsoring employees. For example, photographs are sometimes required for documentation purposes. If employees have any questions about the suitability of photographs they should consult Administrative Services or the Kansas Information Security Office (KISO). Not withstanding other requirements of this section, cell phones and laptops equipped with cameras are permitted.
4.6 Information Disclosure
4.6.1 Visitors should not request information that does not pertain to their visit or the work being performed. Confidential or otherwise inappropriate requests for organization information, documentation, comments or statements on any matter currently under litigation, (as might be requested by a reporter or a lawyer) will be reported to the KISO.
4.7 Sanitizing Controlled Areas
4.7.1 Any area containing sensitive information shall be sanitized prior to any visitation.
4.8 Emergency Evacuation
4.8.1 In the event of an emergency, it is the sponsoring employee’s responsibility to encourage the visitor to remain in the evacuation marshaling area. Emergency coordinators will include visitors in their accountability procedures using the visitors log from the check-in station.
4.9 Multiple Day or Extended Period Visits
4.9.1 For multiple day or extended period visits, visitors may be issued a Consultant ID badge under the following conditions:
4.9.1.1 Administrative Services has received authorization from the department head to issue a visitor a Consultant ID badge.
4.9.1.2 The visitor has a sponsor.
4.9.1.3 The visit will be for a period longer than 4 consecutive hours.
4.9.1.4 The visitor’s sponsor will ensure the Consultant ID badge is returned upon completion of the visit.
4.10 Unaccompanied visitor access to controlled areas such as datacenters, storage areas, frame rooms, Telecom Equipment Rooms (TER), etc. is prohibited.
4.11 Groups Requesting Tours of Facilities
4.11.1 All requests for group tours of facilities will be referred to Administrative Services and/or Office of the CISO for handling as an exception. A reason for the tour, areas of interest, and a list of participants must be provided.
4.11.2 Administrative Services will coordinate for an employee to be the designated sponsor of the group; the employee must have appropriate access to the tours intended areas of interest.
4.11.3 The group sponsor will provide a summary of the Emergency Evacuation Procedure and restrictions on photographs prior to the start of the tour.
4.11.4 Visitor badges for groups with more than three participants are not required, instead Administrative Services will provide the group sponsor with a roster of the groups participants, and must remain with the group at all times until the tour is completed.
4.12 Network or System Access
4.12.1 Visitors that need internet access may use the state wireless network.
4.12.2 Visitors who require temporary access to production networks requires prior permission from the department head with which they are visiting, and their employee sponsor will arrange for temporary credentials. Prerequisites for this access include:
4.12.2.1 The visitor shall review the Information Security User Guide
4.12.2.2 The visitor shall agree to abide by the policies set forth in the user guide by signing the user agreement located in the user guide
4.12.2.3 The visitor’s sponsor shall provide the signed user agreement to Administrative Services where it will be maintained for two years.
No visitor may have unaccompanied to access to any network or information system that would disclose Restricted Use Information (RUI) (See ITEC Security Policy 7230a for RUI definition) without first having completed a fingerprint based background investigation that has been adjudicated by the KISO.
4.13 Penalties
4.13.1 Violations of any of the requirements in this policy by any employee may result in disciplinary action, up to and including prosecution and / or termination.
4.13.2 Violations of any of the requirements in this policy by any visitor may also result in similar disciplinary action against the sponsoring employee, and may also result in termination of services with any associated consulting organization or prosecution in the case of criminal activity.
5.0 CONTACT PERSON: COO, Office of Information Technology Services,785-296-4999
OITS Policy 9207 - ID Badges/Electronic Card Key Management
Effective Date 06/12/2013
Review Date 07/2019
1.0 SUBJECT: ID Badges/Electronic Card Key Management
2.0 DISTRIBUTION: OITS
3 .0 PURPOSE: The purpose of this document is to provide guidance for issuance of Electronic Card Keys for access to OITS Central Office controlled areas.
4.0 BACKGROUND: The State of Kansas requires the use of access controls to restrict physical access to facilities that house information systems. Without physical access control the potential exists that information systems could be illegitimately accessed and the information within compromised. Unaccompanied access to these controlled areas will be limited to authorized personnel only and that authorization shall be demonstrated through the use of authorization credentials (badges, identity cards, etc.) that have been issued by the State.
5.0 PROCEDURE:
5.1 ID Badge/Electronic Card Key
5.1.1 ID badges shall be issued by Administrative Services.
5.1.2 Three types of ID badges shall be available:
5.1.2.1 State Employee ID Badge: This badge is issued by the Kansas Highway Patrol and is only issued to State employees. Access to areas using this badge will be determined by the employee’s supervisor. Access provided by the badge may be changed as duties change.
5.1.2.2 Visitor ID Badge: Visitor ID badges are used only for identifying visitors; they shall not provide access to any area.
5.1.2.3 Consultant ID: Badge. Managed by Administrative Services this badge is issued by the Kansas Highway Patrol and shall only open office area doors. This badge shall only be issued to authorized consultants, contractors, or vendors. As a standing exception, this badge may also be temporarily issued to an employee that has lost or forgotten their State Employee ID Badge.
5.1.3 ID Badges and Electronic Card Keys: Except for State Employee ID badges, and for the purpose of this Policy and Procedures Memorandum (PPM), all other ID badges and electronic card keys shall be used to identify electronic keys that provide access to controlled areas. These electronic keys shall be used and treated as an ordinary key and managed by local key control procedures.
6.0 Visitors
6.1 Must sign in and out at the reception desk; visitors must have a sponsor; the sponsor will be responsible for ensuring the visitor logs in and out.
6.2 All visitors shall be issued a visitors badge which must be worn at all times.
6.3 No visitor shall have unaccompanied access to any area.
6.4 For further information on visitors refer to the visitor’s policy.
7.0 Consultants, Contractors and Vendors
7.1 Consultant ID badges may be requested for consultants performing services that require more than four consecutive hours to complete. Consultant ID badges only open doors to office areas and no others (data centers, storage areas, frame rooms, etc.)
7.2 For consultants, contractors and vendors that do not maintain a clearance with administrative services, escorts are required for access to any controlled area such as data centers, storage areas, frame rooms, etc.
7.3 For unaccompanied access to controlled areas the following applies:
7.3.1 Must be working on behalf of a local active where access to a controlled area is required.
7.3.2 Must possess an equivalent OITS security clearance that has been verified by the Office of the CISO, and proof of this clearance is on file with Administrative Services.
7.3.3 Must be on the unaccompanied access roster maintained by Administrative Services
7.4 Non-state employees that have been authorized unaccompanied access to controlled areas shall sign for (card) keys to specific areas from the appropriate key control custodians such as the Network Operations Center (NOC).
8.0 Employees
8.1 Employees shall not share use of their State Employee ID badge.
8.2 For employees that forget their State Employee ID badge, they may temporally sign for a Consultant ID Badge from Administrative services
9.0 Facilities Maintenance Personnel.
9.1 State personnel performing maintenance in controlled areas are also required to possess a security clearance for unaccompanied access. This clearance must be maintained on file with Administrative Services.
10.0 Administrative Services
10.1 Shall be responsible for requesting all badges and card keys.
10.2 Shall be responsible for issuing Consultant ID badges. The following are requirements before a Consultant ID badge is issued.
10.2.1 Issuing a consultant badge to employees requires that employment is verified, and the employee has either lost or forgotten their State issued ID badge.
10.2.2 Issuing a Consultant ID badge to non-state employees requires that an office head has approved a request, for an individual whose services require more than four consecutive hours.
10.3 Shall be responsible for issuing electronic card keys to controlled areas to the NOC.
10.4 Shall be responsible for conducting monthly reconciliation reviews of those authorized unaccompanied access to controlled areas. Records of these reviews shall be maintained on file for six years.
10.5 Shall be responsible for providing the NOC with an “access roster” of those authorized unaccompanied access that may be issued keys to controlled areas.
10.6 Shall conduct quarterly inventories of all electronic card keys issued. Records of these audits shall be maintained for six years.
10.7 Shall be responsible for discontinuing access of any electronic card key or ID badge if lost, missing or stolen.
11.0 Network Operations Center (NOC)
11.1 Shall manage electronic card keys in accordance with local key control policy .
11.2 Shall be responsible for issuing electronic card keys to all controlled areas.
11.3 Shall only issue electronic card keys to authorized persons whose names are present on the access roster provided by Administrative Services.
12.0 CONTACT PERSON: COO, Office of Information Technology Services, 785-296-4999