Loading
The Oregon Administrative Rules contain OARs filed through November 15, 2014
 
QUESTIONS ABOUT THE CONTENT OR MEANING OF THIS AGENCY'S RULES?
CLICK HERE TO ACCESS RULES COORDINATOR CONTACT INFORMATION

 

DEPARTMENT OF CORRECTIONS

 

DIVISION 5

NETWORK AND INFORMATION SYSTEM ACCESS AND SECURITY

 

291-005-0005

Authority, Purpose, and Policy

(1) Authority: The authority for this rule is granted to the Director of the Department of Corrections in accordance with ORS 179.040, 423.020, 423.030, and 423.075.

(2) Purpose:

(a) The purpose of this rule is to establish policies, procedures and guidelines for security of Department of Corrections (DOC) information systems. Any information system operated by the Department of Corrections or connected to the department's network and information contained in DOC information networked computer systems shall be protected by the security guidelines established in this rule.

(b) The Department of Corrections intends to operate all of its automation resources, including multi-user computer systems, terminal devices, personal computers (PCS), work stations, networks and communications devices, in such a manner as to ensure:

(A) The accuracy and reliability of the department's information, regardless of whether it is stored and processed on the department's information systems or on other computer systems, including employee-owned personal computers or information systems operated by other agencies and organizations;

(B) The protection of each individual's rights of privacy concerning information about that person which may be stored on DOC information systems;

(C) Accessibility to the information by authorized users of DOC information systems;

(D) Denial of access to DOC information systems and information for all other unauthorized persons; and

(E) Detection of and intervention in attempted or actual system break-ins, information tampering and destruction, and all other forms of misuse of DOC information systems, computer equipment, computer networks and information.

(3) Policy: It is the policy of the Department of Corrections that computerized information shall be made secure from unauthorized access. Accepted supervision and management practices shall be required of employees to provide adequate security which restricts unauthorized access. Any external organization granted access to DOC information systems shall be required to follow and enforce the security guidelines of these rules.

Stat. Auth.: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Stats. Implemented: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Hist.: CD 5-1978, f. 2-15-78, ef. 2-16-78; CD 7-1981, f. & ef. 4-17-81; CD 38-1985, f. & ef. 8-16-85; CD 12-1986, f. & ef. 6-30-86; CD 24-1992, f. 11-24-92, cert. ef. 12-1-92; CD 10-1997, f. & cert. ef. 6-20-97; DOC 16-1999, f. 9-24-99, cert. ef. 10-1-99

291-005-0011

Definitions

(1) Account/User Profile: A data record which is associated with each authorized user of a computer system and/or network. This record specifies the user's real name, log-on or sign-on name, secret password, identification numbers or codes, and other operating parameters (such as limitations on the use of system resources, access permissions, etc.). This record is created and maintained for each user by the DOC network security officer or his/her designee. The record is used by the computer or network operating system software to permit or deny use of or access to system resources for a given user.

(2) Application(s): Any computer program or group of related computer programs which perform specific operations to support or execute information processing required by the user or department.

(3) Authorized User: An individual who holds explicit permission to use an information systems resource. An authorized user is distinguished by ownership of an active user account/user profile and a fully executed security agreement.

(4) Communications Devices: Any equipment which supports the connection of an information processing component (for example, a terminal, PC, or host computer) to another information processing component for the purpose of data transmission and reception.

(5) Computer Equipment: Automation resources including, but not limited to, terminals, personal computers, work stations, controllers, printers, and communications devices.

(6) Dial-up: Access to a computer system or network which uses communications devices. For instance, a user might use a PC and modem from home to review a department report which is stored on a minicomputer; a user who is traveling can use a laptop PC with a modem to send and receive electronic mail from his/her hotel room.

(7) DOC Network Security Officer: A person(s) appointed by the Assistant Director for Information Systems and Services Division (ISSD) to perform security functions for the DOC information systems.

(8) External organization: Any non-Department of Corrections department, agency, corporation or other groups of individuals who are not under the authority of the Director of the Department of Corrections. This includes, but is not limited to, national, state, county and municipal government agencies and departments, service providers and consultants, product and services vendors, appointed or ad hoc committees, advisory groups and the public at large.

(9) Functional Unit: Any organizational component within the Department of Corrections responsible for the delivery of program services or coordination of program operations.

(10) Functional Unit Manager: Any person within the Department of Corrections who reports to either the Director, the Deputy Director, an Assistant Director, or an administrator and has responsibility for delivery of program services or coordination of program operations.

(11) Information System: Any automated system which supports storage, processing of and access to information (data). An information system includes the physical equipment, software, and data.

(12) Inmate: Any person under the supervision of the Department of Corrections or other corrections agency who is not on parole, probation, or post-prison supervision status.

(13) Offender: Any person under the supervision of local community corrections who is on parole, probation, or post-prison supervision status.

(14) Oregon Corrections Enterprises: A semi-independent state agency that is a non-Department of Corrections agency or division, which is under the authority of the Director of the Department of Corrections. For purposes of this rule only, Oregon Corrections Enterprises shall not be considered an external organization.

(15) Oregon Corrections Enterprises (OCE) Employee: Any person employed full-time, part-time, or under temporary appointment by the Oregon Corrections Enterprises. For the purposes of this rule only, employee shall also include any person under contractual arrangement to provide services to the agency; any person employed by private or public sector agencies who is serving under agency-sanctioned special assignment to provide services or support to agency programs.

(16) Stand-alone Personal Computer Equipment: Computer equipment not connected to the Department of Corrections network or any other network.

(17) Terminals: Input/output devices that are used for data entry and display of entered or processed information. A terminal consists of a display screen and some form of input device, usually a keyboard or scanner.

Stat. Auth.: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Stats. Implemented: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Hist.: CD 7-1981, f. & ef. 4-17-81; CD 38-1985, f. & ef. 8-16-85; CD 24-1992, f. 11-24-92, cert. ef. 12-1-92; CD 10-1997, f. & cert. ef. 6-20-97; DOC 16-1999, f. 9-24-99, cert. ef. 10-1-99; DOC 23-1999(Temp), f. 7 cert ef. 12-22-99 thru 6-19-00; DOC 11-2000, f. & cert. ef. 6-19-00

Procedures

291-005-0015

General

(1) These rules cover the following assets of the department:

(a) Any and all information regarding or related to the department's business and mission, where that information is stored as data contained in or on any information system, or produced for display and review by that system.

(A) Such data may be recorded on a number of different media, such as magnetic tapes, magnetic or optical disks, hard or floppy disks, CD ROM, and a variety of printed forms on paper, etc.

(B) This data may be stored, processed, accessed, and displayed on any number of computer systems including, but not limited to, those owned and operated by the department, its employees, contractors, and consultants.

(b) The information systems equipment, specifically the computer hardware and software, peripheral devices, network components, data communications devices, terminals, personal computers, and printers which are owned, leased and/or operated by the department to store, process, and display information.

(c) Access to and use of the department's information systems.

(2) These rules specify the means to detect and prevent misuse and/or loss of any of these assets. It covers the range of misuse from innocent accidents which cause little or no damage to malicious actions which cause data corruption, loss of information, and denial of services.

Stat. Auth.: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Stats. Implemented: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Hist.: CD 7-1981, f. & ef. 4-17-81; CD 38-1985, f. & ef. 8-16-85; CD 12-1986, f. & ef. 6-30-86; CD 24-1992, f. 11-24-92, cert. ef. 12-1-92; CD 10-1997, f. & cert. ef. 6-20-97; DOC 16-1999, f. 9-24-99, cert. ef. 10-1-99

291-005-0025

Access Authorization

(1) Only authorized users shall be allowed access to DOC information systems.

(2) Authorized users shall be granted access to DOC information systems on a need-to-use basis. Such access will be controlled by use of a password.

(3) Requests for user access and termination of user access shall be accepted by the DOC network security officer or designee from functional unit managers or their designees only. These personnel shall handle all requests for access and termination for their functional unit. Letters of agreement with external organizations for access to DOC information systems shall clearly indicate the process and authority for user access authorization. Users from external organizations must comply with this rule.

(4) No person presently or previously under the custody, control, or supervision of the Department of Corrections or its agents shall be granted access to any computers or systems which contain data or are connected to any DOC information system unless the request for access has been reviewed, approved and recommended by the functional unit manager. Final approval for such access will be determined by the Assistant Director for ISSD.

(5) Functional unit managers or their designees shall identify their staff who have a need to use DOC information systems and shall be responsible for the following process for authorization:

(a) Functional unit managers or their designees are responsible to ensure that criminal history checks have been done on all persons for whom they request authorization to access DOC information systems. This includes contractors, volunteers, temporary staff, regular employees, and OCE employees.

(b) Security Agreement:

(A) All persons requesting access to DOC information systems must sign a security agreement which indicates that they understand they are responsible to protect agency assets, including computers and information in accordance with the provisions of the Department of Corrections rules on Release of Public Information; Files, Records, and Detainers; and Network and Information System Access and Security.

(B) The DOC network security officer or designee shall maintain a file of security agreements.

(c) Authorization Form:

(A) The user's functional unit manager or designee shall complete an authorization form requesting access to the DOC network and the DOC applications.

(B) A separate request form shall be completed if the user is requesting dial-up access to DOC information systems.

(C) Authorization forms shall be signed by the functional unit manager or designee for the functional unit or external organization and shall be forwarded to the DOC network security officer who shall generate a user identification and a user account allowing the access requested.

(d) Training: The user shall be required to complete a training module on password management before access to the system is authorized. Notification of completion of training shall be forwarded to the DOC network security officer or designee, who shall then activate the user's profile. The DOC network security officer shall notify the user when the profile is activated and access is authorized.

Stat. Auth.: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Stats. Implemented: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Hist.: CD 7-1981, f. & ef. 4-17-81; CD 38-1985, f. & ef. 8-16-85; CD 12-1986, f. & ef. 6-30-86; CD 24-1992, f. 11-24-92, cert. ef. 12-1-92; CD 10-1997, f. & cert. ef. 6-20-97; DOC 16-1999, f. 9-24-99, cert. ef. 10-1-99; DOC 23-1999(Temp), f. 7 cert ef. 12-22-99 thru 6-19-00; DOC 11-2000, f. & cert. ef. 6-19-00

291-005-0035

Termination of Access

(1) Notice of termination of employment or a transfer to a position not requiring access under these rules shall result in retirement of the individual's user identification. Prompt notice of termination or transfer shall be sent to the DOC network security officer by the functional unit manager or designee who handles user authorization. This procedure also applies to users from external organizations and Oregon Corrections Enterprises.

(2) Functional unit managers or their designees shall review annually for accuracy a list of users from their respective units. The Information Systems and Services Division (ISSD) shall provide the list.

(3) Managers of external users shall review a list of users annually and confirm those needing continued access. ISSD shall provide the list.

(4) Newly-created user profiles that are not used within three weeks will be disabled.

(5) Owners of existing profiles that are not used for a period of three months will be sent a letter by the DOC network security officer to confirm continued need for access. If there is no response, the profile will be disabled after six months of inactivity.

(6) Passwords that have been disabled for a period of three months will be deleted.

Stat. Auth.: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Stats. Implemented: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Hist.: CD 7-1981, f. & ef. 4-17-81; CD 38-1985, f. & ef. 8-16-85; CD 12-1986, f. & ef. 6-30-86; CD 24-1992, f. 11-24-92, cert. ef. 12-1-92; CD 10-1997, f. & cert. ef. 6-20-97; DOC 16-1999, f. 9-24-99, cert. ef. 10-1-99; DOC 23-1999(Temp), f. 7 cert ef. 12-22-99 thru 6-19-00; DOC 11-2000, f. & cert. ef. 6-19-00

291-005-0045

Dial-Up Access

(1) Authorized persons may be granted access to DOC information systems by means of dial-up connection on a need-to-use basis. Such access shall be via the same user identification and password issued for non-dial-up access.

(2) Dial-up access is permitted by means of user identification and password only. The use of open user accounts and automatic sign-on are not permitted.

(3) No inmate/offender shall be permitted to access DOC information systems by means of dial-up connection.

(4) The ISSD standards and guidelines require additional security controls to be used whenever dial-up access is authorized.

Stat. Auth.: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Stats. Implemented: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Hist.: CD-24-1992, f. 11-24-92, cert. ef. 12-1-92; CD 10-1997, f. & cert. ef. 6-20-97; DOC 16-1999, f. 9-24-99, cert. ef. 10-1-99

291-005-0055

User Password Management and Responsibilities

(1) Authorized users shall comply with the following rules to create and manage their passwords:

(a) All user accounts shall be protected by use of a password. This password shall be generated by and known only to the individual user.

(b) The DOC network security officer shall determine password characteristics.

(2) Password Duration: All user passwords shall be subject to automatic retirement at a maximum set in the standards and guidelines. Authorized users may change passwords as often as they wish during this period and are encouraged to do so.

(3) Password Violation: Violation of these rules is a disciplinary matter, up to and including dismissal as a consequence.

(4) A user account shall be automatically disabled when there have been more than three successive unsuccessful attempts at sign-on.

(5) The DOC network security officer or designee may re-enable a disabled password.

(6) Personal Computer Network Access: Personal computers (PCs) which connect to the local or wide area network for the purpose of accessing and using file, disk, application, and printer services must be treated with the same care and diligence accorded to terminals connected directly to a computer system. Such PC connections must be mediated by the user's log-on name and password.

Stat. Auth.: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Stats. Implemented: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Hist.: CD-24-1992, f. 11-24-92, cert. ef. 12-1-92; CD 10-1997, f. & cert. ef. 6-20-97; DOC 16-1999, f. 9-24-99, cert. ef. 10-1-99

291-005-0065

Information Systems and Services Division (ISSD) Responsibilities for User Identification

To implement user accountability, the following rules shall be strictly enforced by ISSD:

(1) The same user identification (numeric value and/or user name) shall not be assigned to more than one user.

(2) Group accounts are not allowed. A group account is a log-on or sign-on user name and password which is shared by more than one person.

(3) Open user accounts are not allowed. An open user account is a log-on user name for which there is no password, or for which the password is publicly known.

Stat. Auth.: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Stats. Implemented: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Hist.: CD-24-1992, f. 11-24-92, cert. ef. 12-1-92; CD 10-1997, f. & cert. ef. 6-20-97; DOC 16-1999, f. 9-24-99, cert. ef. 10-1-99

291-005-0075

Physical Security Guidelines

(1) Computer equipment shall be protected from unnecessary risk of access, damage or theft.

(2) An annual evaluation of physical security for AS400 computer sites shall be conducted by AS400 system operators. The findings of this evaluation shall be reported by the system operators to the work group.

(3) An annual evaluation of physical security for computer equipment used by their respective staff shall be conducted by the functional unit managers or their designees, who are in charge of user authorization.

(4) Physical security guidelines for AS400 sites and computer equipment shall be developed by ISSD and reviewed and approved by the automation security officer.

Stat. Auth.: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Stats. Implemented: ORS 179.040, ORS 423.020, ORS 423.030 & ORS 423.075
Hist.: CD-24-1992, f. 11-24-92, cert. ef. 12-1-92; CD 10-1997, f. & cert. ef. 6-20-97; DOC 16-1999, f. 9-24-99, cert. ef. 10-1-99

The official copy of an Oregon Administrative Rule is contained in the Administrative Order filed at the Archives Division, 800 Summer St. NE, Salem, Oregon 97310. Any discrepancies with the published version are satisfied in favor of the Administrative Order. The Oregon Administrative Rules and the Oregon Bulletin are copyrighted by the Oregon Secretary of State. Terms and Conditions of Use

Oregon Secretary of State • 136 State Capitol • Salem, OR 97310-0722
Phone: (503) 986-1523 • Fax: (503) 986-1616 • oregon.sos@state.or.us

© 2013 State of Oregon All Rights Reserved​