Approved Date – 02/22/2021
Published Date – 02/22/2021
Review Date – 02/23/2023
1. Purpose
Establish the policy for safeguarding District information technology (IT) and communications ecosystems, data assets, DC Workforce Members, District constituents, and stakeholders. The District is highly dependent on the use of information technology, communications systems, and other cloud-based resources to effectively manage District programs and services. As such, with increasing risks, threats, and vulnerabilities the District must respond with the availability and continued modernization of security policies and technology which provide for information confidentiality, integrity, and availability.
2. Authority
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
3. Applicability
This policy applies to all District workforce members (including contractors, vendors, consultants, temporary staff, interns, and volunteers) performing official functions on behalf of the District, and/or any District agency or entity (e.g., subordinate, and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from OCTO. In addition, this Policy applies to any provider and third-party entity with access to District information, systems, network, and applications.
4. Policy
District agencies and departments must develop or adhere to a strategy which demonstrates compliance with this policy and its related standards. The following outlines the requirements for this policy.
The District's agencies must develop and review or update annually and after change to the policy, a procedure in support of this policy with the following requirements.
4.1. On Network:
4.1.1. Only DC Agency authorized endpoints shall be used to access DC networks.
4.1.2. DC Workforce Members that access DC networks must be granted the most restrictive set of privileges required to perform authorized tasks.
4.1.3. DC Workforce Members that access DC networks must be connected using enterprise active directory credentials.
4.1.4. DC Workforce Members that need to perform IT administrator tasks on DC networks must use a separate privileged account to perform authorized tasks.
4.1.5. DC Agency authorized endpoints must implement an OCTO Operating System image. The following OCTO security and management tools must not be disabled or removed: an endpoint management agent ), Anti-Virus Software), and Full Disk Encryption (for laptops). These requirements are further described in "OCTO Enterprise Endpoint Device Standards." Remote administration by any DC Agency must only be performed using the OCTO-approved tools.
4.1.6. Remote Administrative access to enterprise resources within DC Data Centers must use a privilege access management solution (e.g., Direct administrative access from an endpoint to enterprise resources in DC Data Centers is strictly prohibited.
4.1.7. All non-DC agencies must sign a Memorandum of Understanding (MOU), Interconnection Security Agreement (ISA), and external rules of behavior document to gain access to DC ICT Resources.
4.1.8. All inter-agency network communication must be authorized; DC agencies are prohibited from accessing other DC agency non-public resources without an MOU.
4.2. Off-Network/Virtual Private Network (VPN) Access
For specific VPN guidance, refer to the OCTO Virtual Private Network Policy.
4.2.1. Government endpoints (laptop/desktop):
- DC Agency-approved endpoints must follow the same requirements for On Network endpoints.
- DC Agency-approved endpoints must ONLY use an OCTO enterprise VPN.
4.2.2. Government mobile devices (phone, tablets, etc.):
- DC Agency-approved mobile devices must follow the same requirements for On Network devices.
- DC Agency-approved mobile devices must implement an OCTO-approved Mobile Device Management Solution (MDM).
4.2.3. Non-Government endpoints (e.g. BYOD):
- Non-government endpoints are prohibited from accessing the DC Intranet (DC network) via wired or wireless connections unless connecting via Virtual Desktop Infrastructure (VDI). Agency helpdesks are not responsible for providing help desk support for these devices.
- On-government endpoints must use an enterprise Layer 4 VPN connection to authorized network resources.
4.3. Access Not Conforming to Standards
Access to the network not conforming to the above standards is expressly prohibited.
5. Exemption
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
6. Definitions
The definition of the terms used in this document can be found in the Policy Definitions website.