Division of Technology

Policies and Procedures

The Division of Information Security is pleased to be able to provide the following resources, which include information security policies, standards, guidelines, procedures, data classification schema, self-assessment tools and information security product information. To access the desired information, please click on the appropriate link below:
 

Policies

The development of enterprise security policies and standards is a critical step in setting the direction and framework for the information security program. Deloitte and Touche, LLP, has assisted the South Carolina Department of Administration in preparing enterprise information security policies. These polices are designed to improve the State's security posture and will align information security with an agency's mission, goals and objectives.
 
Guidance for policy adoption and implementation is provided in the Policy Handbook found below:
Policies that are provided in MS Word and PDF format:

Standards

The following standards establish mandatory requirements for compliance with the above policies.

Guidelines

The following guidelines are intended to assist state agencies in compliance with the policies and standards above.
 
Asset Management Guidelines
 
The Microsoft Excel template included below is provided by the Division of Information Security for use in the manual collection of information technology asset data.
 
Deloitte and Touche, LLP, recommends starting with one category and asset class at a time. After completing one category, it is recommended you increase your asset data category collection after each iteration of the asset management process. The spreadsheet template is setup to classify mobile devices (i.e. laptops, USBs, cell phones).
 
A presentation is also included below that describes in detail how to develop an approach for collecting and maintaining an agency's IT asset inventory and data.

Procedures

The following procedures establish minimum baseline processes to be followed by state agencies to comply with the policies and standards above.

Data Classification Schema and Guidelines

A data classification model is used to create a categorization of the State's data for efficient use and protection. Without knowing what type of data exists, who can access it, where it is located, and its value to the State, it is difficult to adequately protect data from malicious users, and develop policies and procedures to prevent the misuse of sensitive information.
 
The data classification model is based on the following four categories: public, internal use, confidential and restricted. 
The Data Inventory Tool is designed to help agencies analyze system security controls. Several supporting documents have also been provided in an effort to assist agencies with the Data Classification and System Control Analysis procedures.

Self-Assessment Tool

The agency self-assessment tool included below is a Microsoft Excel spreadsheet containing worksheets that will help guide you through a detailed assessment of your agency's information security system. The self-assessment tool provides agency information security departments with a simple and concise methodology by which to assess current practices against their potential risk.
 
This tool also contains a heat map to identify potentially high risk areas based on current practices. Instructions for completing the self-assessment are contained in the spreadsheet.

Information Security Project Products

The contracts listed below are DIS-approved data security products for the security control domain in which they are listed.
 
Data Discovery
 
  • Symantec - Network Discover Products
  • EMC - RSA Data Discovery
  • Websense - Data Discover
Laptop/Desktop Encryption
 
  • Symantec - PGP Whole Disk Encryption Products
  • Microsoft - BitLocker Drive Encryption (available through Microsoft Pro OS with Software Assurance)
Privileged User Management
 
  • CyberArk Software - Privileged Identity Management
  • CA Technologies - CA Control Minder
Third Party Patch Management
 
  • IBM - Tivoli Endpoint Manager Solution
  • Secunia - Corporate Software Inspector (CSI)
Two Factor Authentication
 
  • SafeNet - SafeNet Authentication
  • EMC - RSA SecureID
  • Gemalto - IDConfirm
Unified Threat Management
 
  • CheckPoint - CheckPoint UTM
  • Fortinet - Fortigate Unified Threat Management
  • Juniper - SRX series UTM
Virtual Private Network Devices
 
  • Cisco - SSL VPN Products
  • F5 Networks - BIG IP Products
  • Juniper - MAG Series Junos Pulse Gateways
Check back regularly for updates in these product categories.