The Maryland Department of Information Technology (DoIT) is committed to managing the confidentiality, integrity, and availability of State information technology networks, systems and applications (IT Systems). The State supports and utilizes the standards developed by the National Institute of Standards and Technology (NIST) as the framework behind the planning, procurement, development, and implementation of State IT and telecommunications systems.
The Maryland Cybersecurity Program implements information security initiatives across all IT Systems supported by, or under the policy authority of, DoIT as directed within the scope of the Secretary of Information Technology’s authority under the 2013 Maryland Code §§ 3A-303 and 3A-305. One of the most important measures in managing the risk associated with information technology is the implementation of sound policies and processes that reinforce established standards and best practices throughout the cybersecurity industry.
The image above provides a link to a graphical view of these policies, categorized by security family, so the reader may have a clearer understanding of how the policies support and affect the State’s mission. These policies are described below in an alphabetical format for the reader to reference any specific policy at their leisure. If there are any questions, concerns, or suggestions please submit a ServiceNow ticket assigned to “Security Services” through the DoIT Service Desk by calling (410) 697-9700, or submit an email by clicking on this email link: email@example.com.
Maryland DOIT Acceptable Use Policy v1.0 - Effective: 1/31/2017
Maryland DOIT Account Management Policy v1.0.pdf - Effective: 1/31/2017
This policy establishes the DoIT account management policy and requires all agencies not under the direct management of DoIT to develop a process for documenting, managing, and maintaining all user and system accounts authenticating to the IT infrastructure.
Maryland DOIT Asset Management Policy v1.0.pdf - Effective: 1/31/2017
Compiling and maintaining inventory of all technology assets – hardware, software, and virtualized assets – is one of the fundamental aspects of risk management and cybersecurity. Additionally, asset management holds systems owners, data owners, and logistics accountable for tracking assets throughout the system lifecycle.
Maryland DoIT Auditing and Compliance Policy v1.0.pdf - Effective: 1/31/2017, revised 5/30/2017
To ensure DoIT continues to maintain the confidentiality, integrity, and availability of the information systems and the data contained on them, DoIT must audit State-owned assets and connections to ensure: (1) secure configurations are implemented, (2) agencies are managing change across the network, and (3) discovering and mitigating risks within the IT architecture. This is a critical part of risk management and verifies agencies comply with established policies, regulations, laws, directives, and orders.
Maryland DOIT Authority to Operate Policy v1.0.pdf - Effective: 1/31/2017
All agencies are responsible for ensuring that all devices and networks comply with security policies, secure configuration standards, and regulatory requirements before they are approved to operate IT environments. This policy defines the requirements for agencies to submit for an Authority to Operate (ATO) or Interim Authority to Operate (IATO) certification by the State’s Designated Approving Authority (DAA) and begin operations within the State environment.
Maryland DOIT Boundary Protection and Internet Access Policy v1.0 - Effective: 1/31/2017
The establishment of perimeter defense mechanisms is an important part of minimizing exposure to security threats. This includes managing security controls for the boundaries between the DoIT Enterprise and subordinate agency networks, or between the DoIT Enterprise and 3rd party networks including the Internet.
Cloud Services Security Policy v1.0.pdf - Effective: 1/31/2017, 6/09/2017
Executive Branch agencies are beginning to implement cloud technology to provide important information and services to internal staff and Maryland customers. Cloud Service Providers (CSP) must be adequately assessed and meet minimum security requirements before any State of Maryland information, system, or infrastructure can be hosted outside of a State-owned or managed environment. This policy identifies the minimum controls CSPs must meet to ensure the security posture of the State is not adversely affected.
Maryland DOIT Configuration Management Policy v1.0.pdf - Effective: 1/31/2017
Configuration management and change management are two more fundamental aspects of risk management and cybersecurity. These are critical to establishing an initial baseline of hardware, software, and firmware used through a network. Changes to these baselines must be diligently controlled and effectively managed. This allows DoIT and agencies to control change through timely documentation and ensuring change is authorized by leadership thereby preventing unaccounted for deviation. Change management ensures continuous monitoring capabilities are able to more easily identify unauthorized changes in the environment and establish event baselines to create alerts to unauthorized changes.
Contingency Planning Policy v.1.0.pdf - Effective: 1/31/2017, 06/02/2017
The Executive Branch agencies offer many important services to Maryland residents, employees, and businesses. Efficient and effective contingency planning and disaster recovery creates resilient agencies that can continue essential operations during unplanned service-interrupting events. This policy contains the requirements for Contingency Planning and Disaster Recovery capabilities within DoIT and other Maryland Executive Branch agencies.
Maryland DOIT Continuous Monitoring Policy v1.0.pdf - Effective: 1/31/2017
One of the cybersecurity initiatives within the DoIT Enterprise is the Security Operations Center (SOC), which serves as a key component in protecting the systems and information collected, produced, or otherwise handled by State agencies. Continuous monitoring ensures the capability of identifying anomalies and detecting attacks within the Enterprise. Continuous monitoring establishes the capability to ingest data from a multiple of sources and analyze the aggregate information for potential loss or compromise.
Cybersecurity-program-policy-v1.0 (Updated with Sigs).pdf - Effective: 1/31/2017
This policy lays the foundation of the DoIT Cybersecurity Program and all supporting policies to ensure the information security of State IT resources are observed by all agencies under the policy authority of DoIT.
Data Security Policy v.1.0.pdf - Effective: 1/31/2017, 6/08/2017
Protecting the confidentiality of the information entrusted to the State of Maryland by its residents is vitally important to maintaining that trust. Effective data classification is paramount to controlling access to information, which ultimately allows the State to ensure confidential data is only accessed by those personnel whose duties require it and utilize technologies to track and control the flow of data. This policy establishes the baseline requirements for managing access to data and incorporating data loss prevention tools.
Email Security Policy v.1.0.pdf - Effective: 1/31/2017, revised 5/17/2017
Official correspondence must be exchanged securely to ensure all confidential data, such as PII, sensitive, and protected data is safeguarded. This policy defines acceptable guidelines for the secure configuration and use of State-issued email services while helping to ensure that correspondence is exchanged securely to protect confidential data.
Maryland DOIT Endpoint Protection Policy v1.0.pdf - Effective: 1/31/2017
Endpoint security management is an approach to network security that requires, and ensures, endpoint devices comply with specific criteria before being granted access to the network. The increasing ease and prevalence of a mobile-enabled workforce makes it more important than ever to protect endpoint devices and the security posture of IT systems.
Maryland DOIT HIPAA Security Rule Policy v1.0.pdf - Effective: 1/31/2017
One of the roles of cybersecurity within an organization is ensuring compliance to regulatory requirements. Agencies considered covered entities (CE) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must comply with the requirements of the HIPAA Security Rule. This policy establishes the framework with which agencies considered CE’s must comply.
Maryland DOIT Incident Response Policy v1.0.pdf - Effective: 1/31/2017
Every organization will experience some form of data loss or compromise at some point and DoIT is committed to providing timely, efficient, and effective response to cybersecurity incidents. This policy establishes the baseline requirements of processes and procedures managing potential incidents and minimizing the negative impact of data loss or compromise. By analyzing incidents and how each is handled, DoIT and other State agencies continuously progress toward a more protected environment as the nature of threats change over time.
Media Protection Policy v.1.0.pdf - Effective: 1/31/2017, 6/09/2017
This policy directs DoIT and agencies to control portable and writeable media assets, such as external hard drives, DVDs, and USB flash drives, to minimize the risk of confidential data loss and to reduce the risk of unauthorized disclosure and possible data breach. Agencies must be protected against information loss by ensuring data is tracked and that access to data and media resources is limited to only those personnel with need-to-know. Media protection also requires portable media access be disabled on all devices except to those authorized to use these devices – this helps to prevent a malicious user from uploading malware to the environment or downloading confidential information to an unauthorized personal storage device.
Mobile Device Security Policy v.1.0.pdf - Effective: 1/31/2017, 06/02/2017
The State’s use of mobile technology offers employees and contractors a more flexible work environment that helps to increase performance and productivity. Technology options like this expand work locations and allows staff the ability to move freely within their work areas. But, this creates security challenges in protecting the confidential information accessed by authorized users through mobile devices. This policy contains the requirements of Mobile Device Security and Management throughout DoIT and other Maryland Executive Branch Agencies to ensure that data and information systems accessed via mobile devices are protected from the latest threats. The document also contains user agreement forms for State-issued devices and Bring Your Own Device (BYOD) deployments.
Maryland DOIT Network Documentation and Access Policy v1.0.pdf - Effective: 1/31/2017
Network documentation is critical to efficient troubleshooting, standardizing implemented controls, and recovering in the event of a data loss or an integrity-impacting event. Network documentation establishes baseline environments and will be updated regularly to ensure accuracy. This documentation is especially critical in the event of a security incident or during a disaster recovery operation and makes the task of rebuilding or repairing the network or isolating information flow during an incident much easier and more efficient.
Maryland DOIT Official Use of Social Media Policy v1.0.pdf - Effective: 1/31/2017
The effective use of social media allows the State to broadcast relevant information to its constituents quickly. Agencies may provide emergency information, status updates for ongoing repairs or outages, and overall agency information using popular social media outlets. This policy establishes the use of these platforms in a safe, professional manner and ensures the accounts are monitored to prevent misuse.
Maryland DOIT Patch Management Policy v1.0.pdf - Effective: 1/31/2017
Patch Management is a fundamental aspect of cybersecurity and is designed to prevent exploitation of known vulnerabilities. An effective patch management process helps mitigate the costs of time and effort expended defending against vulnerabilities known to the information security field at large and timely patching of known security issues is recognized as a best practice critical to maintaining the confidentiality, availability, and integrity of information systems. The time immediately after the release of a patch is a particularly vulnerable moment for organizations because the window of time between obtaining, testing, and deploying a patch to the vulnerable IT Systems is sufficient for malicious entities to attempt various exploitation strategies, therefore it is imperative an agency prioritizes patch management within the infrastructure.
Maryland DOIT PCI DSS Compliance Policy v1.0.pdf - Effective: 1/31/2017
One of the roles of cybersecurity within an organization is ensuring compliance to regulatory requirements, including the Payment Card Industry Data Security Standard (PCI DSS). Since many agencies use and accept credit card payments, either through online services or payment terminals at customer locations, this policy establishes the framework with which agencies under the policy authority of DoIT must comply.
Physical and Environmental Protection Policy v.1.0.pdf - Effective: 1/31/2017, 6/08/2017
Personnel safety is paramount to the Department of Information Technology and the State of Maryland. Along with ensuring personnel safety, agencies must implement security measures to protect data, equipment, and the facilities housing State resources. These physical and environmental security controls are established within agencies to promote the security posture of the State and prevent, detect, and minimize the effects of unauthorized or unintended access to these areas.
Maryland DOIT Public and Confidential Information Policy v1.0.pdf - Effective: 1/31/2017
The establishment of data classification levels is an important part of ensuring the protection and dissemination of potentially confidential data. The Maryland Executive Branch utilizes the definitions and guidelines established by the State of Maryland and relevant laws, such as 2013 Maryland Code §§10-1301 - 1308, relating to Public and Confidential Information requiring information to be classified appropriately and protected according to its security categorization (as defined in FIPS-199). This policy establishes how public and confidential data is defined and handled within the Enterprise and agencies under the policy authority of DoIT.
Remote Access Policy v.1.0.pdf - Effective: 1/31/2017, revised 5/17/2017
The use of technology to work from remote locations, such as employees in the field or on-call staff accessing the network from home, are becoming more common. Remote access exposes increased risk from external threats by introducing additional attack vectors that may lead to compromise or data loss – therefore, effective security implementation is necessary. This policy ensures security procedures are integrated into remote connections to protect the information systems and the data that reside on them.
Maryland DOIT Security Assessment Policy v1.0.pdf - Effective: 1/31/2017
An agency must identify risks and prioritize efforts to reduce the impact those risks pose as much as possible. This policy sets standards for Risk Assessment, Vulnerability Assessment, and Penetration Testing as an overall approach to identifying exploitation vectors and auditing potential data compromise posed by cyber threats to infrastructure vulnerabilities.
Maryland DOIT Third Party Interconnection Policy v1.0.pdf - Effective: 1/31/2017
This policy establishes the baseline requirements for ensuring acceptable security measures exist between third-party interconnections, such as vendors or the Internet. Such connections must operate within acceptable risk levels and associated risk(s) must be assessed throughout the lifecycle of that connection.
Virtualization Policy v.1.0.pdf - Effective: 1/31/2017, revised 5/30/2017
Organizations, including government agencies, are increasingly reliant upon virtualized environments, consolidating networking, servers, and desktops capabilities to gain efficiency and maximize the use of limited hardware and software resources. The State’s use of virtualization technology creates security challenges that must be addressed when deploying, migrating, and administering virtual machines. This policy establishes the information security requirements for virtualization to ensure consistent and secure deployment of virtualized systems.
Wireless Access Policy v.1.0.pdf - Effective: 1/31/2017, revised 5/17/2017
Implementation of wireless technologies offers new challenges in balancing information access with protecting data by ensuring security is properly designed and integrated into the devices and connections that support it. This policy establishes the use of wireless technologies and the baseline requirements for proper implementation within Executive Agencies.
100 Community Place, Crownsville, MD 21032
300-301 West Preston Street, Baltimore MD 21201
410-697-9700 - Dial 7-1-1 to place a call through Maryland Relay