DHS home | Policies | Administrative policies | Admin policies index | policy

DHS Policy: Oregon Department of Human Services
Administrative Services
 
Policy Title: DHS Information Access Control Security
Policy Number: DHS-090-003
Version:
3.0
Effective Date:
01/09/2006

Approved By: DHS Chief Administrative Officer
Approved Date: 01/09/2006



policy section link  link to procedures section  link to forms section  link to references  link to definitions section  link to contact section  link to history section

Overview

Description: This policy sets forth the requirement for access control of DHS information assets.

Purpose/Rationale: The confidentiality, integrity and availability of information stored within the information systems of the Department of Human Services (DHS) must be protected. Therefore, only authorized users can access specific information assets.

Applicability: Full and part-time employees, temporary workers and volunteers who are granted access to the DHS network and information computer systems are covered by this policy. These individuals shall comply with this policy and associated policies, procedures and guidelines.

Failure to Comply: For DHS employees, temporary workers, and volunteers, failure to comply with information security policies or other associated policies; procedures; standards; and guidelines may result in disciplinary actions up to and including termination of employment.

Legal actions may be taken for violations of applicable regulations and laws and can also lead to personal liabilities. Access privileges, by any user, are subject to modification, restriction or termination as a result of failure to comply. Contracts or agreements may be subject to access amendment or termination.

Back to top

Policy

  1. General
    1. DHS Controls Access to its information assets in computer systems. Only authorized users shall be granted access. Authorized users shall be limited to specific defined, documented, and approved systems and applications, as determined by their level of access rights (i.e., role based access control) (see DHS-100-003 and DHS-100-004).
    2. Access Authorization (Managers/Contract Administrators): Managers and/or contract administrators will grant access to users based on what the user requires to accomplish their assigned duties. The Individual User Profile (IUP) forms (DHS 0780-0784) shall be used for processing all requests (see DHS-090-003-01 and DHS-090-003-02 procedures).
    3. Access Approval (Users): Information users shall inform manager/contract administrator if access approved is not enough to carry out their assigned duties (see DHS 0780 form series).
    4. Access Control Protection: Electronic information assets shall be protected through access controls, which prevent improper creation, disclosure, modification, deletion or data unavailability. Examples of access control systems include, but are not limited to, secured building areas, traditional system passwords, etc., as well as other access control technologies.
    5. Consistent Protection: Access controls shall be applied consistently to electronic information assets throughout their life cycle, from origination to destruction.
  2. Responsibilities
    1. Managers shall evaluate each information user's access to verify their continued need for assigned access level whenever work assignments change, or at a minimum annually.
    2. Managers shall immediately request revocation of access privileges when user leaves state service or changes occur and user no longer requires the same access privileges.
    3. he Information Security Officer shall maintain a list of managers having primary responsibility for information assets and the area of information assets to which their authority extends.

    (NOTE: Also see additional responsibilities noted in section 5., Contracting, of this policy.)

  3. Authentication
    1. All individuals approved for information computer system access shall be properly identified per sections 1 and 2 of this policy. User identification takes the form of a unique, assigned personal identifier combined with a password, at a minimum (see policy DHS-090-002).
    2. System administrators shall assign unique, user identification to the authorized information user upon notification of access approval (see procedure DHS-090-002-01).
    3. Information system owners shall authenticate all users, where applicable. Unauthorized users shall be denied access.
    4. Manual authentication processes, the DHS 0780 series forms, are available for use.
  4. Modifying and Revoking Access Privileges
    1. The following circumstances require managers to request appropriate modification and/or revocation of access privileges to information assets and data systems:
      1. When users are functioning outside of their current work assignments, modify and/or revoke access privileges.
      2. During a user’s extended leave, and/or when deemed appropriate by the Human Resources Office, revoke access privileges.
      3. Termination of user from DHS, revoke all access privileges.
    2. Automatic revocation of user access privileges shall occur after 180 days of non-logon to information systems or applications, where possible.
    3. Unauthorized or wrongful use or disclosure of information assets may cause the immediate revocation of access based on DHS-090-005, Privacy and Security Incident Management Policy.
  5. Contracting
    1. Office of Contracts and Procurements (OC&P) shall include security language in all contracts where program identifies the Contracting Business Entity (CBE) will require access to DHS information assets, information services or information technology equipment.
    2. DHS contract administrators shall have the right to review the role of the users assigned by CBE, annually at a minimum; or at the time when the contract is being initiated, amended, or has expired, to verify the ongoing need for assigned computer system access level. Review may also occur in response to security incidents (see policy DHS-090-005).
    3. The Information Security Officer and the DHS contract administrators shall consult with each other about appropriate access control requirements for a contract, when deemed necessary.
    4. The Information Security Officer reserves the right to require additional access controls be applied to a contract.
    5. When a contract allows DHS access to the CBE’s information, and the CBE has its own security requirements, the Information Security Office (ISO) will perform an information security risk assessment to evaluate DHS’ ability to meet those requirements. The ISO will provide an information security management plan, which will allow the CBE to accept, mitigate or transfer the risk.
Back to top

Procedure(s)

Back to top

Form(s)

Back to top

Reference(s)

Back to top

Definition(s)

Back to top

Contact

Back to top

Policy History

Back to top

If you have comments about this site, send email to dhs.policyinfo@state.or.us.

Oregon.gov, FindOR state search engine, and Get Acrobat Reader icons

Oregon Department of Human Services
500 Summer St. NE E25, Salem, OR 97301-1098
Phone: (503) 945-5944
Fax: (503) 378-2897
TTY: (503) 947-5330