1914 System and Information Integrity Policy

Georgia State Seal

Department of Human Services
Online Directives Information System

Index:

POL1914

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

This policy establishes the Enterprise System and Information Integrity Policy, for managing risks from system flaws/vulnerabilities, malicious code, unauthorized code changes, and inadequate error handling through the establishment of an effective System and Information Integrity program. The system and information integrity program helps DHS implement security best practices with regard to system configuration, security, and error handling.

Authority

  1. United States Department of Commerce National Institute for Standards and Technology (NIST)

  2. United States Internal Revenue Service

  3. United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)

  4. United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)

  5. Georgia Technology Authority

  6. Social Security Administration

  7. Federal Bureau Investigation (Criminal Justice Information Services)

References

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

Information Integrity

Assurance that the data being accessed or read has neither been tampered with, nor been altered or damaged through a system error, since the time of the last authorized access.

System Integrity

The state of a system where it is performing its intended functions without being degraded or impaired by changes or disruptions in its internal or external environments.

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Responsibilities

DHS shall adopt the System and Information Integrity principles established in NIST SP 800-53 “System and Information Integrity,” Control Family guidelines, as the official policy for this domain. The following subsections outline the System and Information Integrity standards that constitute this policy. Each DHS Business System is then bound to this policy, and shall develop or adhere to a program plan which demonstrates compliance with the policy related to the standards documented.

SI-1 System and Information Integrity Procedures

  1. Develop, document, and disseminate to designated agency personnel:

    1. All organizational level system and information integrity policy that:

      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

    2. Procedures to facilitate the implementation of the system and information integrity policy and the associated controls.

  2. Designate an agency official to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

  3. Review and update the current system and information integrity control:

    1. Policy every one (1) year (or if there is a significant change); and

    2. Procedures every one (1) year, (or when there is a significant change).

SI-2 Flaw Remediation

  1. Identify, report and correct system flaws;

  2. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

  3. Install security-relevant software and firmware updates promptly after the release of the updates; and

  4. Incorporate flaw remediation into the organizational configuration management process.

SI-2 (2) Automated Flaw Remediation Status:

Determine if system components have applicable security-relevant software and firmware updates installed using automated mechanisms at a minimum monthly; daily for networked workstations and malicious code protection.

SI-2 (3) Time to Remediate Flaws and Benchmarks for Corrective Actions:

  1. Measure the time between flaw identification and flaw remediation; and

  2. Establish the following benchmarks for taking corrective actions: Agency defined based on criticality.

SI-2 (4) Automated Patch Management Tools:

Employ automated patch management tools to facilitate flaw remediation to all CUI systems that includes but not limited to mainframes, workstations, applications, and network components

SI-2 (5) Automatic Software and Firmware Updates:

Install security-relevant software and firmware updates automatically to all CUI systems.

SI-2 (6) Removal of Previous Versions of Software and Firmware:

Remove previous versions of security relevant software and firmware components after updated versions have been installed.

IRS.1:

The agency shall ensure that, upon daily power up and connection to the agency’s network, workstations (as defined in policy and including remote connections using GFE workstations) are checked to ensure that the most recent agency-approved patches have been applied and that any absent or new patches are applied as necessary or otherwise checked not less than once every 24 hours (excluding weekends, holidays, etc.)

SI-3 Malicious Code Protection

  1. Implement signature-based and/or non-signature-based malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

  2. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;

  3. Configure malicious code protection mechanisms to:

    1. Perform periodic scans of the system and implement weekly and real-time scans of files from external sources at endpoint and network entry/exit points as the files are downloaded, opened, or executed in accordance with agency security policy; and

    2. Either block or quarantine take and send alert to system administrator in response to malicious code detection; and

    3. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

IRS.1:

All removable media must be scanned for malicious code upon introduction of the media into any system on the network and before users may access the media.

IRS.2:

Not less than daily, the agency shall check for updates to malicious code scanning tools, including anti-virus (AV) and anti-spyware software and intrusion detection tools and when updates are available, implement on all devices on which such tools reside.

SI-4 System Monitoring

  1. Monitor the system to detect:

    1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives as defined in IT/Cybersecurity monitoring objectives as defined in the agency policy; and

    2. Unauthorized local, network, and remote connections;

  2. Identify unauthorized use of the system through a variety of techniques and methods

  3. Invoke internal monitoring capabilities or deploy monitoring devices:

    1. Strategically within the system to collect organization-determined essential information; and

    2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;

  4. Analyze detected events and anomalies;

  5. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

  6. Obtain legal opinion regarding system monitoring activities; and

  7. Provide the output from system monitoring to designated agency officials at a minimum every two weeks or sooner if deemed necessary.

SI-4 (1) System-wide Intrusion Detection System:

Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.

SI-4 (2) Automated Tools and Mechanisms for Real-Time Analysis:

Employ automated tools and mechanisms to support near real-time analysis of events.

SI-4 (4) Inbound and Outbound Communications Traffic:

  1. Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;

  2. Monitor inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions.

SI-4 (5) System-Generated Alerts:

Alert the appropriate agency personnel when the following system generated indications of compromise or potential compromise occur: suspicious activity reported from firewalls, intrusion detection systems, malware detection systems, and other agency-defined security tools that report indications of compromise or potential compromise.

SI-4 (10) Visibility of Encrypted Communications:

Make provisions so that agency-defined encrypted communications traffic is visible to agency-defined system monitoring tools and mechanisms.

SI-4 (11) Analyze Communications Traffic Anomalies:

Analyze outbound communications traffic at the external interfaces to the system and selected agency defined interior points within the system to discover anomalies.

SI-4 (12) Automated Organization-Generated Alerts:

Alert agency-defined personnel or roles using automated mechanisms when the following indications of inappropriate or unusual activities with security or privacy implications occur: agency-defined activities that trigger events.

SI-4 (14) Wireless Intrusion Detection:

Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.

SI-4 (18) Analyze Traffic and Covert Exfiltration:

Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information at agency defined interior points within the system.

SI-4 (23) Host-Based Devices:

Implement the following host-based monitoring mechanisms at organization system components: intrusion detection system / intrusion prevention system (IDS/IPS).

SI-4 (24) Indicators of Compromise:

Discover, collect, and distribute to organization-defined personnel or roles, indicators of compromise provided by government and non-government sources.

IRS.1:

All Internet Access Points/portals shall capture and retain, for at least one year, inbound and outbound traffic header information, with the exclusion of approved Internet "anonymous" connections, as may be approved by the agency CISO.

SI-5 Security Alerts, Advisories, and Directives

  1. Receive system security alerts, advisories, and directives from third parties such as US-CERT, MS-ISAC, product vendors, etc. on an ongoing basis;

  2. Generate internal security alerts, advisories, and directives as deemed necessary;

  3. Disseminate security alerts, advisories, and directives to appropriate personnel with security responsibilities (e.g., system administrators, ISSOs, system owners, incident response capabilities, etc.) and;

  4. Implement security directives in accordance with established time frames or notify the issuing organization of the degree of noncompliance.

SI-6 Security and Privacy Function Verification

  1. Verify the correct operation of organization-defined security and privacy functions;

  2. Perform the verification of the functions specified in SI-6a upon system startup and/or restart, upon command by a user with appropriate privileges, or at least monthly;

  3. Alert, at a minimum, the system / security administrator to failed security and privacy verification tests; and

  4. Shut the system down, restart the system, or perform another defined alternative action(s) documented in the applicable System Security Plan (SSP) when anomalies are discovered.

SI-7: Software, Firmware and Information Integrity

  1. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: system kernels, drivers, firmware (e.g., BIOS, UEFI), software (e.g., OS, applications, middleware) and security attributes.

  2. Take the following actions when unauthorized changes to the software, firmware, and information are detected: include such organization-defined actions as parity checks, cyclical redundancy checks, and cryptographic hashes, immediately disconnect the device from the network and notify designated agency officials.

SI-7 (1) Integrity Checks:

Perform an integrity check of software, firmware, and information at startup; at the identification of a new threat to which the information system is susceptible; the installation of new hardware, software, or firmware; or at a minimum monthly.

SI-7 (7) Integration of Detection and Response:

Incorporate the detection of the following unauthorized changes into the organizational incident response capability:

  1. Unauthorized changes to baseline configuration setting; and

  2. Unauthorized elevation of system privileges.

SI-7 (10) Protection of Boot Firmware:

Implement the following mechanisms to protect the integrity of boot firmware in system where CUI is accessed, processed, stored, and transmitted: verifying the checksum of downloaded firmware.

SI-8 Spam Protection

  1. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and

  2. Update spam protection mechanisms when new releases are available in accordance with agency configuration management policy and procedures.

SI-8 (2) Automatic Updates:

Automatically update spam protection mechanisms at least every one (1) week.

SI-10 Information Input Validation

Check the validity of the following information inputs: all inputs to web / application servers, database servers, and any system or application input that might receive a crafted exploit toward executing some code or buffer overflow.

SI-11 Error Handling

  1. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and

  2. Reveal error messages only to designated agency officials.

SI-12 Information Handling and Retention

  1. Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and operational requirements.

  2. Dispose of, destroy, and/or erase all data received from SSA to administer benefit programs after the required processing of such data for the applicable benefit programs.

SI-12 (1) Limit Personally Identifiable Information Elements:

Limit Personally Identifiable Information (PII) processed in the information life cycle to the minimum PII elements that are necessary to accomplish the legally authorized purpose of collection.

SI-12 (2) Minimize Personally identifiable Information in Testing, Training, and Research:

Use the following techniques in accordance with organizational standards and applicable federal and state laws and regulations to minimize the use of personally identifiable information for research, testing, or training: Submission of the Data Testing Request (DTR) form for review and approval by IRS Office of Safeguards.

SI-12 (3) Information Disposal

Use the following techniques to dispose of, destroy, or erase information following the retention period: organization-defined techniques and in a manner that prevents loss, theft, misuse, or unauthorized access.

SI-16 Memory Protection

Implement the following controls to protect the system memory from unauthorized code execution: hardware-based or software-based data execution prevention.

SI-18 Personally Identifiable Information Quality Operations

  1. Check the accuracy, relevance, timeliness, and completeness of Personally Identifiable Information (PII) across the information life cycle at least every one (1) year; and

  2. Correct or delete inaccurate or outdated PII.

SI-18 Personally Identifiable Information Quality Operations:_

Correct or delete Personally Identifiable Information (PII) upon request by individuals or their designated representatives.

SI-18 (5) Notice of Collection or Deletion:

Notify organization-defined authorized recipients of Personally Identifiable Information (PII) and individuals whose PII has been corrected or deleted.

History

Date Change User Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

  1. Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.

  2. Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.