Skip to main content

Library: Policy

OKDHS:2-45-10. Information security regulations

Issued 5-1-09

(a) Regulations.  All Oklahoma Department of Human Services (OKDHS) information must be protected from unauthorized access, use, disclosure, disruption, modification, duplication, diversion, or destruction, whether accidental or intentional, in order to maintain confidentiality, integrity, and availability.

(b) Scope and applicability.  OKDHS information security regulations apply to:

  • (1) all information collected, maintained, or disseminated by OKDHS;
  • (2) all information systems used by OKDHS, OKDHS contractors and vendors, and any entity on behalf of OKDHS;
  • (3) all OKDHS divisions, business units, employees, and business partners; and
  • (4) contractors and third party entities, where applicable, who host, store, access, develop, use, manage, manipulate, or maintain OKDHS data and information systems.

(c) Controls.  Information security controls are implemented through a defense-in-depth security structure that is risk-based and business-driven and provides limited access:

  • (1) to OKDHS information, based on a least-privilege approach and a need-to-know basis; and
  • (2) by authorized users, based on only information required for the performance of required tasks.

(d) Effective.  OKDHS information security regulations remain in effect until officially superseded or cancelled by the Information Security Office (ISO).  No OKDHS division may create a policy that supersedes information security regulations or the Information Security Program requirements.

(e) Information security responsibilities.

  • (1) Information Security Office.  The ISO has overall responsibility and authority for the development and implementation of the OKDHS Information Security Program, including information security regulations, standards, guidelines, and procedures.  ISO responsibilities include:
    • (A) administer audit and oversight authority to ensure compliance with information security regulations and procedural requirements;
    • (B) ensure that information security management processes are integrated with the OKDHS strategic and operational planning process; and
    • (C) ensure that ISO, in coordination with OKDHS executive officers, monitors and annually reports on the effectiveness of the Information Security Program.
  • (2) Data Services Division.  Data Services Division (DSD) is responsible for technical implementation and technical administration of the Information Security Program, to comply with OKDHS information security regulations.  DSD responsibilities include:
    • (A) develop and implement additional divisional regulations, standards, guidelines, and procedures, with input from ISO, OKDHS executive officers, and business and system owners;
    • (B) provide security and awareness training to all DSD staff, and specialized training to staff with significant security or system responsibilities; and
    • (C) designate staff to directly liaison with ISO to develop and maintain DSD information security regulations, standards, guidelines, procedures, and control techniques.
  • (3) Finance Division.  Finance Division is responsible for compliance with the Information Security Program as it pertains to Finance systems and the Finance Data Center.  Finance Division responsibilities include:
    • (A) develop and implement additional divisional regulations, standards, guidelines, and procedures, with input from ISO, OKDHS executive officers, and business and system owners;
    • (B) provide security and awareness training to all Finance Division staff, and specialized training to staff with significant security or system responsibilities; and
    • (C) designate staff to directly liaison with ISO to develop and maintain Finance Division information security regulations, standards, guidelines, procedures, and control techniques.
  • (4) Information Technology Governance Board.  Information Technology (IT) Governance Board responsibilities include:
    • (A) designate staff to directly liaison with ISO;
    • (B) promote the Information Security Program regulations and initiatives; and
    • (C) actively participate, through the IT Governance Board liaison, in strategic, initiative, and project-based information security planning.
  • (5) OKDHS divisions.  All OKDHS divisions are responsible for compliance with the Information Security Program to protect data and information systems over which they have control.  Division responsibilities include:
    • (A) develop and implement additional divisional regulations, standards, guidelines, and procedures, with input from ISO, OKDHS executive officers, and business and system owners;
    • (B) provide security and awareness training to all divisional staff, and specialized training to divisional staff with significant security or system responsibilities; and
    • (C) designate staff to directly liaison with ISO to develop and maintain divisional information security regulations, standards, guidelines, procedures, and control techniques.
  • (6) OKDHS employees.  OKDHS employees are responsible for compliance with the Information Security Program to ensure the protection of OKDHS data and information systems.

(f) Sanctions.  Failure to comply with provisions of OKDHS:2-45 may result in disciplinary action, per OKDHS:2-1-7, and could result in civil or criminal penalties.

Back to Top
Back to top

Oklahoma Human Services 
2400 N Lincoln Boulevard
Oklahoma City, Ok  73105
(405) 522-5050