California OCIO Case Study

profileyuvi123
case_study_operation_security.pdf

Public Sector Case Study

To improve security in California’s IT infrastructure, the Office of the State Chief Information

Officer

(OCIO) issued a new policy that includes employee remote access security standards for working

from home

or off-site. The policy also requires that state agencies complete a compliance form.

The policy was issued to help state agencies develop secure remote access for employees and

minimize

security risks. The corresponding standard highlights important measures that IT agencies must

adopt to

certify their remote access programs. It includes controls related to the use of up-to-date

operating system

software and security software for every remote connection.

The standard also requires that all computing equipment connected to the state’s IT infrastructure

network for

remote access purposes be state-owned and securely configured. Remote access users can only

connect

through secure encrypted channels—virtual private networks—authorized by agency

management. The

security measures also apply to paper files and mobile devices like personal digital assistants

(PDAs).

According to the information policy letter, agency heads must comply with the following:

• Make sure authorized users permitted to use remote access are trained for their roles and

responsibilities,

security risks, and the requirements in the standard

• Adopt and implement the requirements in the standard and certifying their agency’s compliance

• Annually complete and submit the Agency Telework and Remote Access Security Compliance

Certification form to the Office of Information Security

California was among the first governments in the country to establish enterprise-wide policies

for remote

access, joining states such as Virginia and Arizona, and the federal government.