Maryland Cybersecurity Policies

Department of Information Technology

CYBERSECURITY POLICIES

The Maryland Department of Information Technology (DoIT) is committed to managing the confidentiality, integrity, and availability of State information technology networks, systems and applications (IT Systems). The State supports and utilizes the standards developed by the National Institute of Standards and Technology (NIST) as the framework behind the planning, procurement, development, and implementation of State IT and telecommunications systems.

The Maryland Cybersecurity Program implements information security initiatives across all IT Systems supported by, or under the policy authority of, DoIT as directed within the scope of the Secretary of Information Technology’s authority under the 2013 Maryland Code §§ 3A-303 and 3A-305. One of the most important measures in managing the risk associated with information technology is the implementation of sound policies and processes that reinforce established standards and best practices throughout the cybersecurity industry.

The image above provides a link to a graphical view of these policies, categorized by security family, so the reader may have a clearer understanding of how the policies support and affect the State’s mission. These policies are described below in an alphabetical format for the reader to reference any specific policy at their leisure. If there are any questions, concerns, or suggestions please submit a ServiceNow ticket assigned to “Security Services” through the DoIT Service Desk by calling (410) 697-9700, or submit an email by clicking on this email link: service.desk@maryland.gov.


Acceptable Use Policy
Effective: 1/31/2017

Effective security is a team effort involving the participation and support of every information system user who deals with information and Information Technology (IT) assets. Defining acceptable use sets boundaries and establishes guidance on how these IT resources are to be used. Appropriate use of IT resources and effective security are integral to protecting the confidentiality, integrity, and availability of IT systems and assets. View policy


Account Management Policy
Effective: 1/31/2017

This policy establishes the DoIT account management policy and requires all agencies not under the direct management of DoIT to develop a process for documenting, managing, and maintaining all user and system accounts authenticating to the IT infrastructure. View policy


Asset Management Policy
Effective: 1/31/2017

Compiling and maintaining inventory of all technology assets – hardware, software, and virtualized assets – is one of the fundamental aspects of risk management and cybersecurity. Additionally, asset management holds systems owners, data owners, and logistics accountable for tracking assets throughout the system lifecycle.View policy


Auditing and Compliance Policy
Effective: 1/31/2017

To ensure DoIT continues to maintain the confidentiality, integrity, and availability of the information systems and the data contained on them, DoIT must audit State-owned assets and connections to ensure: (1) secure configurations are implemented, (2) agencies are managing change across the network, and (3) discovering and mitigating risks within the IT architecture. This is a critical part of risk management and verifies agencies comply with established policies, regulations, laws, directives, and orders. View policy


Authority to Operate Policy
Effective: 1/31/2017

All agencies are responsible for ensuring that all devices and networks comply with security policies, secure configuration standards, and regulatory requirements before they are approved to operate IT environments. This policy defines the requirements for agencies to submit for an Authority to Operate (ATO) or Interim Authority to Operate (IATO) certification by the State’s Designated Approving Authority (DAA) and begin operations within the State environment. View policy


Boundary Protection and Internet Access Policy
Effective: 1/31/2017

The establishment of perimeter defense mechanisms is an important part of minimizing exposure to security threats. This includes managing security controls for the boundaries between the DoIT Enterprise and subordinate agency networks, or between the DoIT Enterprise and 3rd party networks including the Internet. View policy


Cloud Services Security Policy
Effective: 1/31/2017

Executive Branch agencies are beginning to implement cloud technology to provide important information and services to internal staff and Maryland customers. Cloud Service Providers (CSP) must be adequately assessed and meet minimum security requirements before any State of Maryland information, system, or infrastructure can be hosted outside of a State-owned or managed environment. This policy identifies the minimum controls CSPs must meet to ensure the security posture of the State is not adversely affected. View policy


Configuration Management Policy
Effective: 1/31/2017

Configuration management and change management are two more fundamental aspects of risk management and cybersecurity. These are critical to establishing an initial baseline of hardware, software, and firmware used through a network. Changes to these baselines must be diligently controlled and effectively managed. This allows DoIT and agencies to control change through timely documentation and ensuring change is authorized by leadership thereby preventing unaccounted for deviation. Change management ensures continuous monitoring capabilities are able to more easily identify unauthorized changes in the environment and establish event baselines to create alerts to unauthorized changes. View policy


Contingency Planning Policy
Effective: 1/31/2017

​​The Executive Branch agencies offer many important services to Maryland residents, employees, and businesses. Efficient and effective contingency planning and disaster recovery creates resilient agencies that can continue essential operations during unplanned service-interrupting events. This policy contains the requirements for Contingency Planning and Disaster Recovery capabilities within DoIT and other Maryland Executive Branch agencies. View policy


Continuous Monitoring Policy
Effective: 1/31/2017

One of the cybersecurity initiatives within the DoIT Enterprise is the Security Operations Center (SOC), which serves as a key component in protecting the systems and information collected, produced, or otherwise handled by State agencies. Continuous monitoring ensures the capability of identifying anomalies and detecting attacks within the Enterprise. Continuous monitoring establishes the capability to ingest data from a multiple of sources and analyze the aggregate information for potential loss or compromise. View policy


Cybersecurity Program Policy
Effective: 1/31/2017

This policy lays the foundation of the DoIT Cybersecurity Program and all supporting policies to ensure the information security of State IT resources are observed by all agencies under the policy authority of DoIT. View policy


Data Security Policy
Effective: 1/31/2017

Protecting the confidentiality of the information entrusted to the State of Maryland by its residents is vitally important to maintaining that trust. Effective data classification is paramount to controlling access to information, which ultimately allows the State to ensure confidential data is only accessed by those personnel whose duties require it and utilize technologies to track and control the flow of data. This policy establishes the baseline requirements for managing access to data and incorporating data loss prevention tools.​​ View policy


Email Security Policy
Effective: 1/31/2017

Official correspondence must be exchanged securely to ensure all confidential data, such as PII, sensitive, and protected data is safeguarded. This policy defines acceptable guidelines for the secure configuration and use of State-issued email services while helping to ensure that correspondence is exchanged securely to protect confidential data. View policy


Endpoint Protection Policy
Effective: 1/31/2017

Endpoint security management is an approach to network security that requires, and ensures, endpoint devices comply with specific criteria before being granted access to the network. The increasing ease and prevalence of a mobile-enabled workforce makes it more important than ever to protect endpoint devices and the security posture of IT systems. View policy


HIPAA Security Rule Policy
Effective: 1/31/2017

One of the roles of cybersecurity within an organization is ensuring compliance to regulatory requirements. Agencies considered covered entities (CE) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must comply with the requirements of the HIPAA Security Rule. This policy establishes the framework with which agencies considered CE’s must comply. View policy


Incident Response Policy
Effective: 1/31/2017

Every organization will experience some form of data loss or compromise at some point and DoIT is committed to providing timely, efficient, and effective response to cybersecurity incidents. This policy establishes the baseline requirements of processes and procedures managing potential incidents and minimizing the negative impact of data loss or compromise. By analyzing incidents and how each is handled, DoIT and other State agencies continuously progress toward a more protected environment as the nature of threats change over time. View policy


Media Protection Policy
Effective: 1/31/2017

This policy directs DoIT and agencies to control portable and writeable media assets, such as external hard drives, DVDs, and USB flash drives, to minimize the risk of confidential data loss and to reduce the risk of unauthorized disclosure and possible data breach. Agencies must be protected against information loss by ensuring data is tracked and that access to data and media resources is limited to only those personnel with need-to-know. Media protection also requires portable media access be disabled on all devices except to those authorized to use these devices – this helps to prevent a malicious user from uploading malware to the environment or downloading confidential information to an unauthorized personal storage device. View policy


Mobile Device Security Policy
Effective: 1/31/2017

The State’s use of mobile technology offers employees and contractors a more flexible work environment that helps to increase performance and productivity. Technology options like this expand work locations and allows staff the ability to move freely within their work areas. But, this creates security challenges in protecting the confidential information accessed by authorized users through mobile devices. This policy contains the requirements of Mobile Device Security and Management throughout DoIT and other Maryland Executive Branch Agencies to ensure that data and information systems accessed via mobile devices are protected from the latest threats. The document also contains user agreement forms for State-issued devices and Bring Your Own Device (BYOD) deployments. View policy


Network Documentation and Access Policy
Effective: 1/31/2017

Network documentation is critical to efficient troubleshooting, standardizing implemented controls, and recovering in the event of a data loss or an integrity-impacting event. Network documentation establishes baseline environments and will be updated regularly to ensure accuracy. This documentation is especially critical in the event of a security incident or during a disaster recovery operation and makes the task of rebuilding or repairing the network or isolating information flow during an incident much easier and more efficient. View policy


Official Use of Social Media Policy
Effective: 1/31/2017

The effective use of social media allows the State to broadcast relevant information to its constituents quickly. Agencies may provide emergency information, status updates for ongoing repairs or outages, and overall agency information using popular social media outlets. This policy establishes the use of these platforms in a safe, professional manner and ensures the accounts are monitored to prevent misuse.​​ View policy


Patch Management Policy
Effective: 1/31/2017

Patch Management is a fundamental aspect of cybersecurity and is designed to prevent exploitation of known vulnerabilities. An effective patch management process helps mitigate the costs of time and effort expended defending against vulnerabilities known to the information security field at large and timely patching of known security issues is recognized as a best practice critical to maintaining the confidentiality, availability, and integrity of information systems. The time immediately after the release of a patch is a particularly vulnerable moment for organizations because the window of time between obtaining, testing, and deploying a patch to the vulnerable IT Systems is sufficient for malicious entities to attempt various exploitation strategies, therefore it is imperative an agency prioritizes patch management within the infrastructure. View policy


PCI DSS Compliance Policy
Effective: 1/31/2017

One of the roles of cybersecurity within an organization is ensuring compliance to regulatory requirements, including the Payment Card Industry Data Security Standard (PCI DSS). Since many agencies use and accept credit card payments, either through online services or payment terminals at customer locations, this policy establishes the framework with which agencies under the policy authority of DoIT must comply. View policy


Physical and Environmental Protection Policy
Effective: 1/1/2017

Personnel safety is paramount to the Department of Information Technology and the State of Maryland. Along with ensuring personnel safety, agencies must implement security measures to protect data, equipment, and the facilities housing State resources. These physical and environmental security controls are established within agencies to promote the security posture of the State and prevent, detect, and minimize the effects of unauthorized or unintended access to these areas. View policy


Public and Confidential Information Policy
Effective: 1/31/2017

The establishment of data classification levels is an important part of ensuring the protection and dissemination of potentially confidential data. The Maryland Executive Branch utilizes the definitions and guidelines established by the State of Maryland and relevant laws, such as 2013 Maryland Code §§10-1301 - 1308, relating to Public and Confidential Information requiring information to be classified appropriately and protected according to its security categorization (as defined in FIPS-199). This policy establishes how public and confidential data is defined and handled within the Enterprise and agencies under the policy authority of DoIT. View policy


Remote Access Policy
Effective: 1/31/2017

The use of technology to work from remote locations, such as employees in the field or on-call staff accessing the network from home, are becoming more common. Remote access exposes increased risk from external threats by introducing additional attack vectors that may lead to compromise or data loss – therefore, effective security implementation is necessary. This policy ensures security procedures are integrated into remote connections to protect the information systems and the data that reside on them.View policy


Security Assessment Policy
Effective: 1/31/2017

An agency must identify risks and prioritize efforts to reduce the impact those risks pose as much as possible. This policy sets standards for Risk Assessment, Vulnerability Assessment, and Penetration Testing as an overall approach to identifying exploitation vectors and auditing potential data compromise posed by cyber threats to infrastructure vulnerabilities. View policy


Test Policy
Effective: 1/31/2017

All agencies are responsible for ensuring that all devices and networks comply with security policies, secure configuration standards, and regulatory requirements before they are approved to operate IT environments. This policy defines the requirements for agencies to submit for an Authority to Operate (ATO) or Interim Authority to Operate (IATO) certification by the State’s Designated Approving Authority (DAA) and begin operations within the State environment. View policy


Third Party Interconnection Policy
Effective: 1/31/2017

This policy establishes the baseline requirements for ensuring acceptable security measures exist between third-party interconnections, such as vendors or the Internet. Such connections must operate within acceptable risk levels and associated risk(s) must be assessed throughout the lifecycle of that connection. View policy


Virtualization Policy
Effective: 1/1/2017

Organizations, including government agencies, are increasingly reliant upon virtualized environments, consolidating networking, servers, and desktops capabilities to gain efficiency and maximize the use of limited hardware and software resources. The State’s use of virtualization technology creates security challenges that must be addressed when deploying, migrating, and administering virtual machines. This policy establishes the information security requirements for virtualization to ensure consistent and secure deployment of virtualized systems. View policy


Wireless Access Policy
Effective: 1/31/2017

Implementation of wireless technologies offers new challenges in balancing information access with protecting data by ensuring security is properly designed and integrated into the devices and connections that support it. This policy establishes the use of wireless technologies and the baseline requirements for proper implementation within Executive Agencies. View policy