Tuesday, January 5, 2016 -
1:00pm to 2:30pm

Location Details: 

Information Technology Dept.
Room 208V
4201 Normandy Street North
Bismarck, ND 58503

Meeting Agenda:

  • News and Updates
  • Data Encryption
  • Mobile Device Sanitization
  • Prioritization of Security Initiatives
  • Final review of Standards
  • Open Discussion

Meeting Recap:

Updates and News
  • Reminder – Internet Explorer versions older than 11 will no longer be patched or supported after January 12, 2016, so agencies need to have a strategy in place to address that.
  • Reminder – ITD now has an Enterprise Password Management service that is available at no cost to agencies. A service page is not available yet but you can contact the service desk to inquire about the service.
  • After receiving feedback from the Security Architecture group and the IT Coordinators Council, ITD will include domain level Enable/Disable permission for the Service Desk employees in the upcoming Security SLA. This will include a policy to never enable accounts unless a very specific process is followed.
Data Encryption
  • The group spend considerable time discussing the draft Encryption standard. Minor changes included an effort to not require encryption on Desktop computers since those present the highest cost and are least likely to be lost or stolen.
  • The intent is to add encryption of sensitive data on servers and removable storage as a requirement, but also factor in that agencies aren’t budgeted for that now and would require funding in the next biennium.
Mobile Device Sanitization
  • The group briefly discussed the sanitization needed on mobile devices to surplus or repurpose, and how to determine what level of effort is needed to ensure they are wiped. The beliefs are that all Apple devices at iOS 8 or higher are encrypted.
  • The only way to use an encrypted device would be to know the PIN to access, or do a factory reset that wiped the user data.
  • The group feels comfortable at this point that any device that has been encrypted should be fine to surplus with just a reset, but this will be discussed further.
Prioritization of Security Initiatives
  • The group ran out of time to discuss an initial effort to develop a prioritization of EA security initiatives, but some examples include:
    1. Multi-Factor Authentication for all Active Directory accounts
    2. Scanning outbound email for PII, PHI, etc.
    3. Stricter mobile device management policies