ISC Policy 13.00: Network Infrastructure Support and Maintenance

Strategic Technology Solutions (STS) will manage and secure the State’s network infrastructure and will govern those network infrastructures which are operated on behalf of the State to ensure the confidentiality, integrity, and availability of the operations of government and those it serves.

REFERENCE:

Tennessee Code Annotated, Section 4-3-5501, et seq., effective May 10, 1994.

OBJECTIVES:

  1. Ensure continuous efforts to secure information systems including network infrastructure as directed by the “Comprehensive National Cyber-security Initiative” of the United States, the National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/ HSPD-23), Presidential Policy Directive 41, Presidential Executive Order No 13800, 82 FR 22391 and Presidential Executive Order,  84 FR 20523 .
  2. Ensure connectivity for State systems and access to data maintained by all state departments, agencies, commissions, or boards.
  3. Protect the network infrastructure, including those managed by a third party on behalf of the State, serving the citizens of the State of Tennessee from unauthorized access, disruption, and/or corruption, and ensure efficiencies and network availability.
  4. Ensure the security controls used to protect the confidentiality and privacy of protected information are compliant with the federal or state statute ,regulation or policy under which the data is protected.
  5. Ensure enhanced security by the establishment and enforcement of standard architecture, hardware, software and configurations.
  6. Maintain a fully developed statewide security policy to protect the confidentiality, integrity, and availability of the operations of government and those it serves.
  7. Optimize network efficiencies and availability through centralized management of infrastructure and security.

8.    Ensure third-party network infrastructure used to provide State services meets or exceeds the security controls defined by the State.

SCOPE:

This network infrastructure support and maintenance policy includes all Information Technology (IT) resources and associated network infrastructure components, including the strategies, policies, standards, procedures, architecture and guidelines necessary to assure the confidentiality, integrity, and availability of the State’s information technology resources, as well as all distributive processing and network related systems whether State hosted and managed or third-party hosted and managed on the State’s behalf including cloud services.

IMPLEMENTATION:

Department of Finance & Administration, Strategic Technology Solutions

  1. Responsible for defining the roles and responsibilities for securing and managing State networks and those networks managed on behalf of the State. Authorized to establish and enforce policy and statewide standards for State IT resources or those operated on behalf of the State.
  2. Responsible for administering the State’s security awareness program.
  3. Responsible for providing the secure, centralized, and standardized management of Local Area Networks (LANs), Metropolitan Area Networks (MANs), and Wide Area Networks (WANs) including policies and connectivity to enhance the implementation and management of security and thereby reduce time lost to recover from security intrusions, viruses, and “hackers.”
  4. Responsible for approval and governance of third-party network infrastructure operated on behalf of the State.
  5. Responsible for securing the network through the effective and efficient use of resources to make satisfactory network repairs; and should detachment occur, responsible to communicate immediately with the agency to advise it of findings, cause for detachment, and commit resources to work with the agency to assist in satisfactory repair.
  6. Provide assistance to and partner with agencies in the creation of guidelines, procedures, training and tools in order for agencies to conduct self-monitoring and self-assessment.
  7. Responsible for and authorized to perform audits on any device that connects to the State of Tennessee’s networks or affects cyber security.
  8. The State’s Chief Information Officer, as a member of the State’s Homeland Security Council, is authorized to act in the best interest of the State to assign network priorities in the event of either a homeland security incident, or the catastrophic loss of core network processing capability, and will ensure appropriate dialogue with the Homeland Security Council leadership.

Agencies and Other Connected Entities

  1. Each department, agency, commission, board, local governmental entity, or state supported institution that connects to the networks managed by STS shall adhere to all applicable security and disaster recovery policies, standards, and procedures for the State’s information systems environment.
  2. Information systems security coordinators shall be appointed as department, agency, commission, board, or institution representatives; and, shall be responsible for information systems security coordination.
  3. Each department, agency, commission, and board that connects to the networks managed by STS shall adhere to standards for server configuration and shall have the configuration reviewed and approved by STS prior to attaching the server to a network segment, and shall submit to no-notice STS performed audits.
  4. Each vendor, subrecipient, or contracting company and their employees doing business with the State and that connects to STS managed networks shall adhere to all applicable security and disaster recovery policies, standards, and procedures for the State’s information systems environment and shall sign a Network Connectivity Agreement with STS.
  5. Each department, agency, commission, and board that issues network or system user IDs to employees, contractors, vendors or subrecipients shall obtain a signed State of Tennessee Acceptable Use Policy Information Technology Resources  User Agreement Acknowledgement annually from each employee, contractor, vendor or subrecipient as a condition of ID issuance and use.

Exclusions and Exemptions

  1. This policy excludes Ultra High Frequency (UHF), Very High Frequency (VHF), 700 MegaHertz radio, and 800 MegaHertz radio ranges, and data wireless communication systems involving law enforcement officers and first responders; car to officer communications, with the exception of wireless Local Area Networks (LANs, 802.11x) that are included within this policy.
  2. Non-executive branch agencies, including the Tennessee Bureau of Investigation, the General Assembly, the Judicial Branch, and all Constitutional Officers shall be exempted only from the governance structure defined in this ISC Policy. Exempted entities will maintain similarly stringent network operating system environments to retain full network access privileges, and their procedures, checklists, and performance reports will be reviewed upon request by the Information Systems Council or its designee.

08-16-2022, Approved by the Information Systems Council