Category: Security Architecture
Applicability: Applied to all public entities and state government agencies, excluding higher education institutions
History: Adopted on June 27, 2007. Amended on March 4, 2008 (by NITC 1-103).
The State of Nebraska recognizes the National Institute of Standards and Technology (NIST) as the adopted author of deployment configurations that provide minimum baselines of security for servers on the State of Nebraska network. As such, all state agencies, boards and commissions will comply with NIST standards, guidelines, and checklists as identified in Appendix A.
NIST provides instructions, recommendations, and considerations to assist readers in deploying servers in a secure method. All State of Nebraska System Administrators should examine NIST documents when installing and or configuring servers. The documents are not all inclusive, but rather meant as a means of prompting and guiding Administrators through the installation process.
Information technology (IT) is a vital resource to the State of Nebraska; therefore it is critical that services provided by these systems are able to operate effectively.
The purpose of this standard is to establish base configurations and minimum server standards on internal server equipment that is owned and/or operated by the State of Nebraska. Effective implementation of this policy will minimize unauthorized access and other IT security related events to the State of Nebraska's information and technology systems.
All State agencies, boards, and commissions, excluding higher education institutions, which deploy servers on the State of Nebraska network.
The NITC shall be responsible for adopting minimum technical standards, guidelines, and architectures upon recommendation by the technical panel. (Neb. Rev. Stat. § 86-516(6))
The highest authority within an agency or institution is responsible for the protection of information resources, including developing and implementing information security programs, consistent with this standard. The authority may delegate this responsibility but delegation does not remove the accountability.
In most cases, the highest authority within an agency or institution delegates the general responsibility for security of the agency's information technology resources to the agency's highest-ranking information technology professional. This responsibility includes development and promulgation of agency-specific information security policies, including installation, and configurations of all servers present on the state's network.
In most cases, the authority within an agency or institution responsibility for the day-to-day system, network and/or security administration of the agency's information technology resources. This responsibility includes ensuring due diligence to security best practices is performed when any server is made available on the state's network