POLICY
1.0 SUBJECT: Data Systems Security
2.0 DISTRIBUTION: All Current Users
3.0 FROM: Russell Getter, Director of DISC
4.0 PURPOSE: To establish a policy concerning administration of KSA 21-3755.
5.0 BACKGROUND: The State of Kansas is rapidly expanding in areas which provide access to data bases within the State as well as data bases in other states, private corporations and national information networks. The number of personal computers and terminals that are attached to mini-computers and mainframes is expected to continue to increase as users utilize information technology at higher levels of expertise.
The opportunity for unintentional, but nonetheless unauthorized, access to data increases as more users learn to work with higher levels of access and expertise in data manipulation. The ability to upload/download data increases the risk of a virus being introduced to a data base, potentially causing alterations within the data or elimination of all, or part, of the data.
KSA 21-3755 defines computer hardware, software, related terms and activities which are considered to be unlawful. For your information, KSA 21-3755 is stated here in its entirety;
21-3755. Computer crime; unlawful computer access. (1) As used in this section, the following words and phrases shall have the meanings respectively ascribed thereto;
(a) "Access" means to approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer, computer system or computer network.
(b) "Computer" means an electronic device which performs work using programmed instruction and which has one or more of the capabilities of storage, logic, arithmetic or communication and includes all input, output, processing, storage, software or communication facilities which are connected or related to such a device in a system or network.
(c) "Computer Network" means the interconnection of communications lines, including microwave or other means of electronic communication, with a computer through remote terminals, or a complex consisting of two or more interconnected computers.
(d) "Computer Program" means a series of instructions or statements in a form acceptable to a computer which permits the functioning of a computer system in a manner designed to provide appropriate products from such computer system.
(e) "Computer Software" means computer programs, procedures and associated documentation concerned with the operation of a computer system.
(f) "Computer System" means a set of related computer equipment or devices and computer software which may be connected or unconnected.
(g) "Financial Instrument" means any check, draft, money order, certificate of deposit, letter of credit, bill of exchange, credit card, debit card or marketable security.
(h) "Property" includes, but is not limited to, financial instruments, information, electronically produced or stored data, supporting documentation and computer software in either machine or human readable form and any other tangible or intangible item of value.
(i) "Services" includes, but is not limited to, computer time, data processing and storage functions and other uses of a computer, computer system or computer network to perform useful work.
(j) "Supporting Documentation" includes, but is not limited to, all documentation used in the construction, classification, implementation, use or modification of computer software, computer programs or data.
(a) Willfully and without authorization gaining or attempting to gain access to and damaging, modifying, altering, destroying, copying, disclosing or taking possession of a computer, computer system, computer network or any other property;
(b) using a computer, computer system, computer network or any other property for the purpose of devising or executing a scheme or artifice with the intent to defraud or for the purpose of obtaining money, property, services or any other thing of value by means of false or fraudulent pretense or representation; or
(c) willfully exceeding the limits of authorization and damaging, modifying, altering, destroying, copying, disclosing or take possession of a computer, computer system, computer network or any other property.
Computer crime which causes a loss of the value of less than $150 is a class A misdemeanor.
Computer crime which causes a loss of the value of $150 or more is a class E felony.
(3) In any prosecution for computer crime, it is a defense that the property or services, were appropriated openly and avowedly under a claim of title made in good faith.
(4) Unlawful computer access is willfully, fraudulently and without authorization gaining or attempting to gain access to any computer, computer system, computer network or to any computer software, program, documentation, data or property contained in any computer, computer system or computer network.
Unlawful computer access is a class A misdemeanor.
(5) This section shall be part of and supplemental to the Kansas criminal code.
History: L. 1985, ch. 108, s 1; July 1.
DISC has established Policy and Procedure Memorandums and Standards which address issues related to the physical security of DISC's computer center (PPM 4203.00) and responsibility for implementing and operating data processing controls (PPM 4206.00).
PPM 4206.00 defines roles for the owner of data and applications, users, and suppliers of service. This PPM further defines those roles concerning unlawful computer access.
6.0 PROCEDURE:
6.1 The owner of data and applications controls the access to the data. The owner is usually a single agency but in some cases more than one agency may be the owner of data. The owner of the data and applications is responsible for administering KSA 21-3755 and for:
6.1.1 Responding to inquires about the authorized use of data,
6.1.2 Reviewing and approving user access to data,
6.1.3 Establishing criteria for levels of user access,
6.1.4 Reviewing and approving requests for applications development and/or modification,
6.1.5 Protecting the interests of the State by restricting access to only authorized users and monitoring the effectiveness of established security
6.2 The user is authorized to access data for specific purposes which have been reviewed and approved by the owner. The user is responsible for:
6.2.1 Developing procedures and standards for security measures related to the operation of personal computers and terminals,
6.2.2 Maintaining security over the data in their personal possession,
6.2.3 Ensuring that confidentiality is maintained in their immediate work area.
6.3 The supplier of service is the agency or organization unit which operates and maintains mainframes or minicomputers for owners of data. The supplier of service may also be the owner of data in those cases where an agency operates and maintains their own applications on agency owned mainframes and/or minicomputers. The supplier of service is responsible for:
6.3.1 Providing physical security for the networks and the computer facility,
6.3.2 Administering guidelines and controls established by the owner and related to security issues,
6.3.3 Montoring user access to determine if access has been authorized by the owner,
6.3.4 Maintaining security and confidentiality of data.
6.4 Each of the identified parties should establish appropriate guidelines which address:
6.4.1 The use of only approved software on your respective equipment,
6.4.2 Safeguarding master disks,
6.4.3 Restrictions on access to computers and terminals,
6.4.4 Restrictions on downloading bulletin board software,
6.4.5 User access to system networks,
6.4.6 The establishment of methods and procedure for monitoring security effectiveness.
7.0 CONTACT PERSON: Dale Johnson - Deputy Director Bureau of Information Systems
785-296-3463