Tightening the belt

A closer look at Kansas' Department of Administration's security policy

A closer look at Kansas' Department of Administration's security policy

In making the determination to use data and file encryption, the following

risks should be considered:

* Loss of state funds.

* Violation of individual expectations of privacy.

* Violation of state or federal law.

* Civil liability on the part of Department of Administration.

* Compromise of legal/investigative efforts.

* Loss of business opportunities for affected persons.

* Undue advantage to any person in the department's competitive business

relations.

Passwords must be:

* Individually owned.

* Kept confidential.

* Changed whenever disclosure has occurred or may have occurred, and

changed at least every 30 days.

* Changed significantly (i.e., not a minor variation of the current

password).

* A minimum of six characters, using alphanumeric characters.

* Encrypted when held in storage or when transmitted over communications

networks.

* Suspended after no more than three unsuccessful log-on attempts.

* Limited to one use when initially issued or when reset or reissued

by security administration personnel.