Policies and Procedures
The Division of Information Security is pleased to be able to provide the following resources, which include information security policies, standards, guidelines, procedures, data classification schema, self-assessment tools and information security product information. To access the desired information, please click on the appropriate link below:
The development of enterprise security policies and standards is a critical step in setting the direction and framework for the information security program. Deloitte and Touche, LLP, has assisted the South Carolina Department of Administration in preparing enterprise information security policies. These polices are designed to improve the State's security posture and will align information security with an agency's mission, goals and objectives.
Guidance for policy adoption and implementation is provided in the Policy Handbook found below:
- SC Information Security Policy Handbook (PDF)
- SC Information Security Policy Handbook - Appendices (PDF)
Policies that are provided in MS Word and PDF format:
- Master Policy (Word) (PDF)
- Asset Management Policy (Word) (PDF)
- Access Control Policy (Word) (PDF)
- Info. Systems Acquisitions Development and Maint. Policy (Word) (PDF)
- Threat Vulnerability Management Policy (Word) (PDF)
- Business Continuity Management Policy (Word) (PDF)
- IT Risk Strategy Policy (Word) (PDF)
- Mobile Security Policy (Word) (PDF)
- Human Resources and Security Awareness Policy (Word) (PDF)
- Physical Environmental Security Policy (Word) (PDF)
- Risk Management Policy (Word) (PDF)
- IT Compliance Policy (Word) (PDF)
The following standards establish mandatory requirements for compliance with the above policies.
- SCDIS-200 Information Security and Privacy Standards (Excel) [18-Sep-2015]
- SCDIS-210 InfoSec Technology Coverage Standards (PDF) – DRAFT [updated 11-Aug-2015]
The following guidelines are intended to assist state agencies in compliance with the policies and standards above.
Asset Management Guidelines
The Microsoft Excel template included below is provided by the Division of Information Security for use in the manual collection of information technology asset data.
Deloitte and Touche, LLP, recommends starting with one category and asset class at a time. After completing one category, it is recommended you increase your asset data category collection after each iteration of the asset management process. The spreadsheet template is setup to classify mobile devices (i.e. laptops, USBs, cell phones).
A presentation is also included below that describes in detail how to develop an approach for collecting and maintaining an agency's IT asset inventory and data.
The following procedures establish minimum baseline processes to be followed by state agencies to comply with the policies and standards above.
- SCDIS-501 Information Media Disposal Procedure (PDF) [01-Jul-2016]
By law (South Carolina Code Ann. § 30-2-310) all state agencies are to follow this procedure to securely transfer or dispose of information technology hardware or storage media.
Data Classification Schema and Guidelines
A data classification model is used to create a categorization of the State's data for efficient use and protection. Without knowing what type of data exists, who can access it, where it is located, and its value to the State, it is difficult to adequately protect data from malicious users, and develop policies and procedures to prevent the misuse of sensitive information.
The data classification model is based on the following four categories: public, internal use, confidential and restricted.
The Data Inventory Tool is designed to help agencies analyze system security controls. Several supporting documents have also been provided in an effort to assist agencies with the Data Classification and System Control Analysis procedures.
- Template Data Inventory Tool (1.2)
- Data Inventory Analysis Report Instructions Template (1.4)
- Auditing and Monitoring Plan Instructions Template (1.5)
The agency self-assessment tool included below is a Microsoft Excel spreadsheet containing worksheets that will help guide you through a detailed assessment of your agency's information security system. The self-assessment tool provides agency information security departments with a simple and concise methodology by which to assess current practices against their potential risk.
This tool also contains a heat map to identify potentially high risk areas based on current practices. Instructions for completing the self-assessment are contained in the spreadsheet.
Information Security Project Products
The contracts listed below are DIS-approved data security products for the security control domain in which they are listed.
- Symantec - Network Discover Products
- EMC - RSA Data Discovery
- Websense - Data Discover
- Symantec - PGP Whole Disk Encryption Products
- Microsoft - BitLocker Drive Encryption (available through Microsoft Pro OS with Software Assurance)
Privileged User Management
- CyberArk Software - Privileged Identity Management
- CA Technologies - CA Control Minder
Third Party Patch Management
- IBM - Tivoli Endpoint Manager Solution
- Secunia - Corporate Software Inspector (CSI)
Two Factor Authentication
- SafeNet - SafeNet Authentication
- EMC - RSA SecureID
- Gemalto - IDConfirm
Unified Threat Management
- CheckPoint - CheckPoint UTM
- Fortinet - Fortigate Unified Threat Management
- Juniper - SRX series UTM
Virtual Private Network Devices
- Cisco - SSL VPN Products
- F5 Networks - BIG IP Products
- Juniper - MAG Series Junos Pulse Gateways
Check back regularly for updates in these product categories.