Texas Department of Housing & Community Affairs - Building Homes and Strengthening Communities
 

Information Technology (IT) Security Practices and Guidelines

The Texas Department of Housing and Community Affairs (TDHCA) created this set of IT practices to provide subrecipients with guidance on how to safeguard financial and performance data associated with TDHCA programs.

The IT security practices defined here were adapted from the Texas Department of Information Resources' security policies, standards, and guidelines for state agencies and universities at http://www.dir.texas.gov/security/policy/Pages/policy.aspx. For additional information, please contact the TDHCA Information Systems Division.

Disclaimer: TDHCA is responsible for safeguarding the data you enter into TDHCA systems. TDHCA is in not responsible for the hardware, software, or data owned or maintained by other organizations.

  1. Identify Critical IT Assets

    First, ensure that the inventory of the software, hardware, systems, and data in your organization is up to date. Then determine what components constitute your critical IT assets. At a minimum, those components that are used to track financial and performance data associated with TDHCA programs will be considered critical IT assets.
  2. Perform a Risk Assessment
    1. Find and document the vulnerabilities associated with critical IT assets. Some examples of vulnerabilities include:
      1. Theft or disaster.
      2. Accidental deletion of files; terminated employees purposely destroying data.
      3. Internet exploits, system hackers, viruses.
      4. Critical data stored on individual PCs, without redundant hard drives or backups maintained off-site.
      5. Site-specific vulnerabilities (i.e. available hardware, software, and personnel) dependent on an organization’s cost constraints.
      6. Loss of portable computing devices such as USB flash drives, laptops, memory cards, and PDAs.
      7. Vulnerabilities associated with wireless networking.
    2. Measure your ability to control the vulnerabilities that you document, and identify areas that have a high risk of compromise.
    3. Estimate the costs of minimizing risks, and conduct a cost/benefit analysis to make a determination of where you will implement security controls and where there are acceptable risks.
  3. Establish a Written IT Security Policy

    Apply a written IT security policy to your software, hardware, systems, networks, data, and personnel. At a minimum, your written IT security policy should address your critical IT assets and factor in the results of your risk assessment.

    Your IT security policy should be tailored to the size and resources of your organization. Some policies that apply to organizations maintaining networked resources that share an Internet connection may not apply or may be different for an organization that consists of one or two people using a PC with an Internet connection. The key elements that should be considered in your IT security policy are listed below.
    1. Physical Security

      Servers, backup media, and other associated equipment should be placed in a secure location. Access to this area should be restricted to certain employees who are responsible for the equipment and for adhering to the physical security policy.
    2. Account Management

      If your IT environment is networked, you will need a policy addressing account management and password management. Procedures for managing accounts should be documented, and employees assigned to this function should be trained in those procedures. Example procedures would be: procedure for adding a new account, procedure for disabling an account when an employee resigns or is terminated, and procedure for changing or assigning a new password. Accounts should become locked after a set period of inactivity.
    3. Passwords

      Your written IT security policy should include a password policy that is also enforced through system settings. The policy should address the following password parameters:
      1. Length – should be 8 or more characters.
      2. Complexity – should contain at least one character from at least three of these categories: uppercase, lowercase, numeric, and special.
      3. Expiration – should expire after a maximum of 90 days.
      4. History – do not allow the use of previous three passwords.
      5. Aging – define the minimum time that a password must be used before it can be changed.
      6. Encryption – password authentication to a network system should be encrypted.
    4. Patching Servers and Workstations

      Operating systems should be kept updated per vendor recommendations. For example, when a Microsoft vulnerability has been announced, the patch should be applied after it has been tested. Systems administration staff should routinely harden operating systems and applications. For example, unused ports and services should be closed and turned off, unneeded application features should be disabled, and demo or default application data should be moved or deleted.
    5. Virus Protection

      Anti-virus software should be installed on every workstation and server. Configure anti-virus software to be updated a regular schedule.
    6. Firewalls

      You should have a firewall for filtering undesired traffic between the Internet and your internal network.
    7. Wireless

      TDHCA does not recommend the use of wireless networks. If you have a wireless network or wireless devices, be aware of the inherent risks and seek professional guidance for securing them.
    8. Portable Computing Devices

      Your written IT security policy should address physical security of, employee responsibilities for, and encryption of portable computing devices.
    9. Backup and Recovery

      Critical data should be backed up to another medium that is stored, preferably off-site, in a location that addresses physical security related to theft as well environmental hazards. Critical data includes but is not limited to financial and performance data associated with TDHCA programs.
  4. Putting the Policy into Action

    Once you have a written IT security policy in place that fits your organization, the employees that have been designated for this responsibility should put the policy into action. Depending on the size, resources, and needs of your organization, you may decide to outsource some or all of the tasks relating to implementation, maintenance, and testing and review.
    1. Implementing the Policy

      Implementing the policy consists of the technical tasks required to bring your software, hardware, systems, networks, and data in line with your written IT security policy.
    2. Performing Maintenance

      Performing maintenance consists of the ongoing responsibilities and actions needed to ensure that your IT security policy is followed on a daily basis.
    3. Conducting Periodic Testing and Reviews

      To ensure that your IT security policy is being followed successfully, conducting periodic testing and reviews is required. Document a testing plan and schedule. The testing plan should contain the criteria for success and failure.

Page creation date: January 1, 2004
Page last revised: September 15, 2008