POLICY &
PROCEDURE
MEMORANDUM
4206.01

Bureau of Information Systems

Effective Date
09/10/2002
Review Date
09/2002

1.0 SUBJECT: Responsibility for Implementing and Operating Information Technology Controls

2.0 DISTRIBUTION: All State Agencies

3.0 FROM: _____________________________________________

Bruce Roberts, Director of DISC

4.0 PURPOSE: To establish a policy with regard to the assignment of responsibility for the security and control of the State’s Information Technology (IT) resources.

5.0 BACKGROUND: The security of the State’s IT resources will be provided through the cooperative effort of three entities:

Providing security is, in effect, reducing the probability of loss. It is much like buying insurance, in that the cost rises as the probability of loss increases. Because of this, it is important to the State that the probability and cost of potential losses be carefully weighed against the cost of security procedures. The owner of data and applications play a major role in determining the loss to the State if programs and data are inadvertently destroyed or altered. 

    5.1 The three entities are:

      5.1.1 Owner: An owner is an agency or other organizational entity that has responsibility for making and communication judgements and decisions on behalf of the State with regard to indentification, risk classification, value, and protection of the State’s IT resources, or a portion thereof.

      5.1.2 User: A user is an individual or organizational unit that is authorized to use IT resources.

      5.1.3 Supplier of service: A supplier of Service is an organizational unit that provides IT services to others or to itself in support of the State’s mission and goals.

    5.2 The State’s IT resources include:
        5.2.1 Application data.
        5.2.2 Application programs.
        5.2.3 Systems software.
        5.2.4 IT equipment.
        5.2.5 Devices.
        5.2.6 IT Services.

          5.2.6.1 Application Design.
          5.2.6.2 Programming.
          5.2.6.3 Data Entry.
          5.2.6.4 Library and other Custodian Functions.
          5.2.6.5 Word Processing.
          5.2.6.6 Electronic Mail.
          5.2.6.7 Data Transmission.
          5.2.6.8 Central Processing.
          5.2.6.9 Remote Processing.
          5.2.6.10 Distributed Processing.

6.0 PROCEDURE: The responsibilities of each entity with regard to providing Security are as follows:
    6.1 The OWNER is responsible for:
      6.1.1 Judging the value and importance of owned resources.

      6.1.2 Establishing the proper risk classification for each resource and specifying resource protection controls.

      6.1.3 Specifying management and processing controls.

      6.1.4 Authorizing access and assigning custody.

      6.1.5 Communication control and protection requirements to the Supplier of Services and to Users.

      6.1.6 Periodically reviewing control and risk classification decisions.

      6.1.7 Monitoring compliance.

       

    6.2 The USER is responsible for:

     

      6.2.1 Using the State’s IT resources only when duly authorized and only for authorized purposes.

      6.2.2 Effective use of control facilities and capabilities.

      6.2.3 Compliance with applicable IT resource protection practices and directives and with owner-established management controls and resource protection requirements.

       

    6.3 The SUPPLIER OF SERVICE is responsible for:
       

      6.3.1 Complying with applicable directives and agreements.

      6.3.2 Administering owner-specified business and resource protection controls for information and IT resources in their custody.

      6.3.3 Administering or providing administration of access to information under their control.

      6.3.4 Providing physical security for the data center and for the shared resources that reside therin.

       

    6.4 Agency management and personnel have the role of OWNER and USER for all application related resources. DISC assumes the role of SUPPLIER OF SERVICES for applications which are processed in its Data Centers. The role of SUPPLIER OF SERVICES is assumed by the agencies or other computer system providers for those applications that are not processed in the DISC Centers.

    6.5 It shall be the direct responsibility of each agency to maintain an inventory of its IT resources, access the probability and cost of loss for each, and implement security procedures which are adequate to keep the level of risk at an acceptable level. It shall be the responsibility of DISC to provide Administrative leadership in coordinating the activities of agencies as they develop security procedures, policies, and standards as set forth in ITEC security guidelines. It shall also be the responsibility of DISC and the Kansas Information Technology Office to provide technical assistance in the selection, installation, and implementation of the hardware and software tools required to make the necessary security policies and procedures operational.

7.0 HISTORY: This PPM was originally issued as #4206.00 dated 1/24/1986. Re-issued #4206.01, dated 06/30/2001. Re-issued #4206.02, dated 9/10/2002. Changes are indicated with a vertical bar in the left margin.

8.0 CONTACT PERSON: Deputy Director, Bureau of Information Systems, 785-296-3343.

DISC Publications are now available on the internet at url:da.state.ks.us/disc/pubs/