3353-1-12 Security standards for computerized systems.

Electronic data processing equipment used for personal information systems shall be subject to the requirements of rule 3353-1-08 of the Administrative Code and the following standards:

(A) The agency shall permit only authorized personnel to have access to electronic data processing equipment which is used for personal information systems. Authorized personnel includes agency officials and employees who operate, maintain or repair the equipment and anyone else who needs access to the equipment and whose access is authorized by the agency.

(B) Where teleprocessing terminals are used, the agency shall provide and enforce a method for the verification of the identity of all individuals using a terminal.

(C) Any request for proposal for hardware and/or software shall include security specifications. The evaluation of any proposed hardware or software shall include an evaluation of security features. If such features are not adequate to meet the security needs of the system, as determined in the security plan, the proposal shall not be accepted. Security features which should be considered in the evaluation of hardware or software include audit capabilities, the ability to verify the identity of the users through such means as passwords and the ability to restrict access to programs which are stored in contiguous areas. Security features shall be of major importance in the selection of any hardware or software.

(D) Access to both applications and systems programs which are used to maintain personal information systems shall be restricted by keeping such programs in a secure place whether they are in hard copy or computer readable form. This means that listings or programs shall be locked up or kept in areas where access is strictly limited to authorized personnel when they are not in use.

Eff 2-15-82
Rule promulgated under: RC 111.15
Rule amplifies: RC 1347.05, 1347.06, 111.15