Attachments - Part 2 - Kansas Turnpike Authority
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Roadside Toll Collection System RFP Attachments
Attachments - Part 2
Attachment 6 – KTA Information Security Overview
Attachment 7 – Kansas License Plate Guide
Attachment 8 – Implementation Responsibility Matrix
Attachment 9 – Special Instructions – Traffic Control Restrictions
Attachment 10 – KTA Network Topology
Attachment 11 – Maintenance Responsibility Matrix
Attachment 12 – KTA COVID-19 Vendor Information
Attachment 13 – NIOP ICD - Appendix C
Kansas Turnpike Authority (KTA) March 18, 2021 Attachments
Roadside Toll Collection System RFP Attachment 6 – KTA Information Security Overview
Attachment 6
KTA Information Security Overview
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6
Roadside Toll Collection System RFP Attachment 6 – KTA Information Security Overview
5-3-1. COMPUTER USAGE POLICY AND GUIDELINES
1. Purpose:
1.1. This document establishes Kansas Turnpike Authority policy governing computer usage and the
authorized limited personal use of Authority assets. This includes the use of Authority equipment and
resources, computers, tablets, telephones, Internet access, electronic mail (email), voice mail,
reproduction equipment, and facsimile systems.
2. Definitions:
2.1. Authority Assets – Property, materials, equipment, facilities, proprietary information, and resources,
hereinafter collectively referred to as “assets,” intended to be used for the conduct of the Authority’s
business.
2.2. Electronic Mail (email) – Electronically transferred information, typically in the form of messages and
attached documents, from a sending party to one or more receiving parties via an electronic mail system.
2.3. Internet – A public global computer network connecting commercial, government and educational
organizations.
2.4. Intranet – The computer network connecting Kansas Turnpike Authority sites and computers.
3. Policy:
3.1. Kansas Turnpike Authority assets are to be used for business purposes to advance the Authority’s
strategic objectives. However, occasional personal use by employees of Authority assets may occur
without compromising Kansas Turnpike Authority’s interests. This policy establishes the conditions for
such use.
3.2. Certain terms used in this policy, particularly with regards to the content and use of electronic
materials/transmissions, is not amenable to precise definition. For example, it is not possible to define
the term "insignificant value" by means of a precise dollar limitation, or "occasional use" by means of a
specific number. Employees and their department directors are expected to use good judgment in
appropriate use of Authority assets consistent with the purposes of this policy. However, the final
determination regarding what constitutes appropriate use consistent with this policy is reserved to the
Chief Executive Officer in coordination with the Department Director.
3.3. All electronic data stored on Authority computers or other electronic devices is the property of the
Authority. Employees are reminded there is no expectation of privacy with respect to files maintained on
Authority computers or data transmitted over the Authority data or communication network(s), inclusive
of the Intranet and Internet. All computer transmissions originating from, sent through, or terminating at
the Authority are subject to audit without notice, and all such transmissions are identifiable by origin and
destination.
3.4. Employees who use Authority assets for personal purposes are responsible for any and all liability that
may arise from such personal use to include any violation of law, regulation or policy during such use.
3.5. Employees and other authorized users of Authority assets shall report any violations of this policy to local
management.
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-1
Roadside Toll Collection System RFP Attachment 6 – KTA Security Information Overview
3.6. Violation of this policy may result in disciplinary action up to and including termination of employment.
4. Applicability:
4.1. This policy and procedure applies to all departments within the Kansas Turnpike Authority.
5. Guidelines:
5.1. Occasional limited personal use of Authority assets is permitted subject to the following conditions.
Discretion shall be exercised both by local management and the employee to ensure the Kansas Turnpike
Authority’s interests are not adversely affected by such use.
5.1.1.The personal use of Authority assets shall not compromise security or the integrity of the
Authority’s communications, computers and/or network.
5.1.2.Typical authorized limited personal use of the Authority’s computer and related assets includes:
occasional emails to home, friends, school, doctor, etc.; accessing travel information, forms or
information on the Intranet or Internet; etc.
5.1.3.Authority assets shall not be used to play computer games or games on the Internet.
5.1.4.Authority assets shall not be used in support of personal business, private consulting effort or
similar venture, the business of any other company or firm, outside fund- raising activity, political or
lobbying activity, nor for any illegal or other purpose that could cause embarrassment to the
Authority or otherwise adversely affect its interests.
5.1.5.Authority assets (other than items such as laptops or mobile devices required by the employee for
job responsibilities and supplies) must remain on Kansas Turnpike Authority controlled premises, or
appropriate authorization must be obtained from management for removal of the asset.
5.2. Access to the Authority’s communications, computers and/or network by means of any personal device
is strictly prohibited.
5.2.1.Employee access to the Internet using the Authority’s computers and/or network is governed by the
provisions of Disciplinary Rules Policy 5-4-1 “Electronic Mail and Internet/Intranet”.
5.2.2.Although employees may have individual access passwords to voicemail, email, and computer
network systems (including the Internet), these assets are accessible at all times to and by the
Authority. The source of any message and the information it contains are not private, and are
subject to disclosure under the Kansas Open
5.2.3.Records Act. The Authority reserves the right in its sole discretion to monitor and/or access
information and messages in these communication and information systems. Anyone using
Authority assets expressly consents to the monitoring of such use. The Authority also retains the
right to review, audit, and disclose for business purposes all information and messages in its
communication and information systems.
5.2.4.Use of Authority assets, including email systems and access to the Internet, for purposes which, in
the sole discretion of the Authority, may be considered disruptive or offensive to others is
prohibited. This prohibition includes, but is not limited to accessing or transmitting sexual images,
messages, jokes or cartoons; hate speech, or material that ridicules others on the basis of race,
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-2
Roadside Toll Collection System RFP Attachment 6 – KTA Security Information Overview
creed, religion, color, sex, disability, age, national origin, or sexual orientation or is otherwise
defamatory or derogatory; content prohibited by law and/or regulation; and any material that
would reflect negatively on the Authority. Creating, distributing or circulating “chain” or “pyramid”
mail/transmissions is also prohibited, as is proselytizing or soliciting for outside or personal
commercial venture, religious or political cause, outside organizations, or other solicitations that are
not job related. Refer to Disciplinary Rules Policy 5-4-1 “Electronic Mail and Internet/Intranet”.
5.2.5.The acquisition, installation, distribution or use of personal or illegally obtained software (including
freeware, screen savers and backgrounds) whether by disk or downloading from the Internet is
prohibited. However, the Authority recognizes that employees use specific freeware tools in the
performance of their jobs. Downloading and/or the installation of freeware (including shareware)
tools require advance approval by the Information Technology department.
5.2.6.Knowingly downloading, installing, storing or using malicious software, viruses, “cracking,”
keystroke monitoring software, or other actions that may be disruptive or counter-productive to
business operations is prohibited.
5.2.7.The introduction or use of packet sniffing software or any software intended to capture passwords
is prohibited except when explicitly authorized and coordinated in advance with the Information
Technology department.
5.2.8.Use of Authority assets to copy and/or transmit documents, software, technical data or other
information protected by copyright, patent or trademark law, or other law and regulation is
prohibited.
5.2.9.Any attempt to obtain unauthorized access to any computer and/or communication system on the
Internet or the Authority’s Intranet is prohibited.
5.2.10. The storage, processing or transmission of government classified information on unclassified
computer systems, networks or via the Intranet and Internet is prohibited.
5.2.11. Messages disseminated to all employees, large distribution lots using Kansas Turnpike Authority
communication and/or data networks must be business relatedand approved in advance by the
applicable Department Director. Using large distribution lots for non-business-related purposes, or
sending large, memory intensive files or applications which may impede or disturb network
operation is prohibited.
5.2.12. Consultation with IT is required in advance prior to using specific file sharing applications for
sharing large files (such as engineering documents or response to KORA requests).
5.3. The Authority operates email systems to facilitate communication between employees, customers,
vendors, and business associates. These email systems and employee email accounts are Authority
assets. External email accounts are not to be used to communicate Authority information. Use of the
Authority’s email systems for personal use is not allowed.
5.3.1.Email messages shall meet the same standards of business etiquette that govern hard copy (e.g.,
written) business correspondence. Use of the Authority’s email systems for communications that
violate law, regulation and policy is prohibited. This is including, but not limited to:
• Defamatory, inflammatory, or obscene messages
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-3
Roadside Toll Collection System RFP Attachment 6 – KTA Security Information Overview
• Offensive or harassing messages
• Reprimands or unprofessional conflict avoidance matters
• Personal favors or inappropriate personal messages
• Graphic content/pictures
• Inappropriate language
• Confidential information that is not sent through secure email, such as protected health
information or social security or account numbers
• Political influencing, campaigning, or solicitation
• Any communication that would otherwise be deemed inappropriate for the workplace
5.4. Employees and other authorized email users should promptly delete email messages sent or received
that no longer require action and that are not required to be retained by law or contract. Employees are
reminded that the deletion of a message or file may not fully eliminate the message or file from the
system. Please see General Policy 4-35-1 Record Retention Policy for further guidance on when to delete
email messages and other records that are property of KTA.
5.5. Disciplinary Action – Violation of this policy may result in disciplinary action up to and including
termination of employment.
5-4-1. ELECTRONIC MAIL AND INTERNET/INTRANET.
1. Purpose:
1.1. Electronic mail ("email"), Internet access and Intranet systems, and other electronic media and
equipment are business tools provided by Kansas Turnpike Authority for the timely and efficient conduct
of the business. To help ensure these tools are used appropriately and consistently with company
policies, ethics and values, the Kansas Turnpike Authority has developed the following email and Internet
usage policy. This policy addresses access, use and disclosure of electronic mail and Internet messages
and material created, sent or received by Kansas Turnpike Authority employees using the Authority's
systems. The Kansas Turnpike Authority reserves the right to change this policy as it deems appropriate.
2. Policy:
2.1. Access to and use of the email, communications, and computers are reserved primarily for the conduct
of Company business. Limited personal use of these systems is permitted subject to the provisions of
Disciplinary Rules Policy 5-3-1 “Kansas Turnpike Authority Computer Usage Policy and Guidelines”.
3. Applicability:
3.1. This policy and procedure applies to all departments within the Kansas Turnpike Authority.
4. Guidelines:
4.1. Authority Property – The email and Internet access/Intranet systems and hardware are company
property. All messages and attachments composed, sent or received on the email or Internet
access/Intranet systems are and remain the property of the Kansas Turnpike Authority. They are not the
private property of any employee, and employees should not consider email or Internet/Intranet
messages or material private or their personal possessions. Email messages should meet the same
standards of business etiquette that govern "hard copy" business correspondence.
4.2. Downloads and Attachments – The Kansas Turnpike Authority prohibits downloading files or documents
from the Internet. However, in some cases obtaining files from the Internet may be a necessary
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-4
Roadside Toll Collection System RFP Attachment 6 – KTA Security Information Overview
requirement for certain job functions. In those instances the Authority requires that such documents be
job-related or consistent with the provisions of Kansas Turnpike Authority Disciplinary Rules Policy 5-3-1
“Kansas Turnpike Authority Computer Usage Policy and Guidelines” and constitute a reasonable use of
Kansas Turnpike Authority's resources.
4.3. Virus Scanning – Files downloaded from the Internet must be scanned using the Kansas Turnpike
Authority approved virus scanning program prior to executing on a company computer. It is
recommended the source code be retrieved and reviewed as opposed to binary formats.
4.4. Viruses – Employees may not use Kansas Turnpike Authority's email or Internet access systems to
develop or send any virus or otherwise malicious program. Employees should not open emails or
attachments unless they are confident of the identity of the sender.
4.5. Offensive or Harassing Use Prohibited – The email and Internet access/intranet systems shall not be used
to create and/or distribute any offensive or disruptive messages or material. Messages or material
deemed offensive or disruptive include, but are not limited to, sexual images or cartoons (video or audio
medium), hate speech, material that ridicules on the basis of race, creed, religion, color, sex, disability,
age, national origin, or sexual orientation, or is otherwise defamatory, derogatory or inappropriate for a
business environment. The electronic mail and Internet access/Intranet systems must not be used to
commit any crime, including but not limited to sending obscene emails over the Internet with the intent
to annoy, abuse, threaten or harass another person. The Authority will have the sole discretion to
determine what messages or materials are deemed offensive, harassing or disruptive.
4.6. No Sexually Oriented Sites – Kansas Turnpike Authority's Internet access system must not be used to visit
sexually-oriented or otherwise offensive or inappropriate web sites, or to send, display, download or
print offensive material, obscene, pornographic or sexually- oriented pictures or any other such
materials.
4.7. Solicitation Prohibited – The email and Internet access/Intranet systems may not be used to solicit or
proselytize for outside or personal commercial ventures, religious or political causes, outside
organizations, or other solicitations which are not job-related.
4.8. Chain Letters – Employees must not send or forward "chain letter" emails.
4.9. Gaming or Gambling – The email and Internet/Intranet systems shall not be used to facilitate any
Internet gaming or games of chance, including sports betting pools (regardless of the amount of money
involved) and fantasy sports leagues.
4.10. Copyrighted Material and Trade Secrets – The electronic mail and Internet access systems must
not be used to send (upload) or receive (download) copyrighted materials, trade secrets, proprietary
financial information or similar materials without prior management authorization.
4.11. Company Right to Monitor – Kansas Turnpike Authority reserves and exercises the right to review,
audit, intercept, store, access and/or disclose messages or material, including attachments, created,
received or sent, web sites visited and/or files downloaded over the Authority's electronic mail or
Internet access systems. Information Technology support staff may monitor the use of its systems in its
sole discretion, at any time, with or without notice to any employee and may by-pass any access control
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-5
Roadside Toll Collection System RFP Attachment 6 – KTA Security Information Overview
in place. The Information Technology Department shall block access to Internet websites and protocols
that are deemed inappropriate for the Authority’s corporate environment. Certain individuals may
require specific exceptions based on job requirements. The following protocols and categories of
websites will be blocked:
• Adult/Sexually explicit material
• Advertisements & pop-ups
• Chat and instant messaging
• Gambling
• Hacking
• Illegal drugs
• Intimate apparel and swimwear
• Peer-to-peer file sharing
• Personals and dating
• Political influencing, campaigning, or solicitation
• Social network services
• SPAM, phishing and fraud
• Spyware
• Tasteless and offensive content
• Violence, intolerance and hate
4.12. File sharing – Employees who need to share large files for a business purpose, e.g., engineering
documents or response to KORA requests, should consult with IT for approval to use designated file
sharing applications. If confidential information needs to be communicated via email, employees should
use secure email (consult with IT if needed).
4.13. Confidentiality – The confidentiality of any message or material should not be assumed. Even
when a message or material is erased, it may still be possible to retrieve and read that message or
material. Further, the use of passwords for security does not guarantee confidentiality. Notwithstanding
Kansas Turnpike Authority's right to retrieve and read any email or Internet messages or material, such
messages or material should be treated as confidential by other employees and accessed only by the
intended recipient. Employees are responsible for maintaining the confidentiality of material on the
systems. Without prior management authorization, employees are not permitted to retrieve or read
email messages that are not sent to them. The contents of electronic mail or Internet messages or
materials may, however, be disclosed to others within the Authority, with prior management
authorization. Please refer to Policy 4-35-1 Record Retention Policy for further guidance on when to
delete email messages and other records.
4.14. Disciplinary Action – Violation of this policy may result in disciplinary action up to and including
termination of employment.
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-6
Roadside Toll Collection System RFP Attachment 6 – KTA Security Information Overview
Information Security Program
Policy:
This policy defines the types of data and assets that make up Kansas Turnpike Authority’s (KTA) production
network, who should have access to the various systems and data, and how that access is enforced. This policy is
designed to build and maintain a secure network.
Responsibilities:
This policy is the responsibility of, and maintained by, the Manager of Information Security and information
technology ("IT") staff. It is the responsibility of all managers and employees to assist with the enforcement of the
policies referenced herein. This article should be reviewed annually, or sooner as need dictates, based on
significant network or business rule changes.
All breaches of policy should be reported to the IT staff immediately to determine full scope of the issue. All
breaches and failure to follow these policies should be reported to management and the human resources
department, and may result in disciplinary actions up to and including termination of employment. The policy
here affects all users who have access to any portions of the systems that process cardholder data through any
means. Exclusions to any individual policies must be documented in the policy.
Implementation Security and Acceptable Use:
This policy should be disseminated to all relevant personnel (including vendors and business partners) at least
annually. This policy should be reviewed annually and updated whenever the CHD environment changes.
Security policies identifies information and security responsibilities to all personnel. Responsibility for
information security is formally assigned to the Network and Security Manager. Ensuring the establishment,
documentation, and distribution of the incident response and escalation procedures to ensure due diligence prior
to engaging a service provider with whom cardholder data is shared, a process must be established that:
Requires that service providers acknowledge their responsibility for securing cardholder data. Requires that any
user working with card holder data does not transmit this data in any electronic format (ie. Email, instant
messaging, etc.) Guides due diligence actions prior to engaging a new service provider, monitors service
providers to ensure PCI DSS compliance at least annually. The incident response plan must include:
• Roles, responsibilities, communication and contact strategies in the event of a compromise.
• Specific incident response procedures.
• Business recover and continuity procedures.
• Data back-up processes.
• Analysis of legal requirements for reporting compromises.
• Coverage and response of all critical components.
• Reference or inclusion of incident response procedures from the payment brands.
• The incident response plan must be tested at least annually.
• Personnel must be designated to be available to respond to incidents at all hours. These individuals
will be trained on a periodic basis on their security breach responsibilities.
• The incident response plan will be updated according to lessons learned and industry developments.
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-7
Roadside Toll Collection System RFP Attachment 6 – KTA Security Information Overview
Security Awareness Program:
A security awareness program will exist which designed to make all personnel aware of the importance of data
security. The program will meet the following requirements:
Security awareness will be communicated to personnel using multiple methods (e.g., posters, letters, memos,
web-based training, etc.) All personnel will attend training upon hire and annually, thereafter.
Physical Security:
All employees and visitors with access to the primary or backup data centers, must be issued badges which
adhere to the following guidelines:
• All visitors to areas where cardholder data is processed or maintained must wear a visitor badge
which is to be easily distinguishable from non-visitor badges.
• Badges must be updated as needed, when employee’s access changes. Visitor badges must be
revoked or expire when no longer needed.
• Visitor badges must be surrendered upon departure or expiration.
• Access and event logs are reviewed periodically, as well as alerts sent to distribution list upon any
abnormal events or alarms.
Access to sensitive areas where card holder data is interacted with requires the individual to have a job related
function or justification. If employees need temporary access, they will be required to fill out a ticket containing
the appropriate information to be able to grant access.
The individual(s) allowed to issue badges is Michael Schneider or Thomas Engdahl. Administrative access to the
badge system is limited to the following employees: Richard Woodward, Nick Parrott, Thomas Engdahl, Michael
Schneider.
A visitor log must be maintained for areas where cardholder data is processed or maintained:
• Wichita KTAG CSR area
• Lawrence KTAG CSR area.
The logs must be retained for a minimum of 90 days.
Physical Inspection of POS readers:
Point of Sale devices must be inspected on a regular basis. This is to check for skimmers, damaged readers,
physical cabling issues, tamper sticker damage, etc. For KTA’s automatic payment machines, the insertion readers
inspections should be tracked using the appropriate tracking form, provided at each Automatic Payment Machine.
Physical Media Destruction:
Kansas Turnpike Authority employees that work with any type of card holder data are required to adhere to the
following shredded media policy.
• Hard-copy materials must be crosscut shredded daily such that there is reasonable assurance the
hard-copy materials cannot be reconstructed.
• Storage containers used for materials that are to be destroyed must be secured.
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-8Roadside Toll Collection System RFP Attachment 6 – KTA Security Information Overview
• Cardholder data on electronic media must be rendered unrecoverable (e.g. via a secure wipe program
in accordance with industry-accepted standards for secure deletion, or by physically destroying the
media).
KTA Change Control Policy:
Any modification to KTA systems whether planned or unplanned that can impact regular business operations.
Industry requirements that govern particular classifications of data may dictate controls, this is the case with PCI
compliance. These requirements affect any part of the cardholder environment. A formal request for change
(RFC) will be required under the following circumstances:
• Modification of network infrastructure, security, controls, hardware, operating systems, applications,
database’s, etc.
• Addition of new hardware or software to the environment.
• The primary objective of this process is to ensure that a valid business case has been prepared that
demonstrate greater costs and risks associated with the change, also all PCI requirements continue to
be met. All changes must be approved by the KTA management that is directly involved with changes
be made.
KTA Password Policy:
KTA requires users to have a unique and complex password, for CSR workstations (windows login) users must
adhere to the following requirements:
• Minimum of 8 characters, cannot reuse last 10 passwords, 90-day expiration, account locked after 6
attempts, 30-minute lockout timer, password complexity required.
• KTA requires users to have a unique and complex password, for web server’s users must adhere to
the following requirements:
• Minimum of 7 characters, restriction of repeating characters, cannot reuse last 5 passwords, can
contain all characters (letter, number, special character), 45-day expiration.
KTA Cardholder Data Retention Policy:
KTA does not store any card holder data. All card holder data is encrypted upon entering, swipe, etc. This data is
then sent to the credit card processing provider, and a token is returned for KTA reference.
KTA Software and Vulnerability Update Policy:
• Software and Vulnerability notifications for the web server(s) are sent currently by our Tripwire
software. In addition, manual retrieval of security updates for the RHEL servers will be required in
order to ensure updates are applied.
• For our Checkpoint IDS/IPS database and signature revisions, updates and notification are available
within the Checkpoint dashboard, updates can also be downloaded and applied from within that
location, and this also requires user interaction.
• In addition monitoring of CVE vulnerability database, action is taken if applicable.
• Installation of applicable vendor-supplied “critical” security patches are installed within one month of
release.
• Installation of all applicable vendor-supplied security patches are installed within an appropriate
timeframe.
KTA Privileged Access Policy:
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-9Roadside Toll Collection System RFP Attachment 6 – KTA Security Information Overview
• Users that require administrative access to any card holder environment are evaluated based on the
individuals job function. User accounts are requested through KTA’s ticketing system.
KTA List of Service Provider’s:
• The following service providers are associated with procedures and processes that integrate with
KTA’s card holder environment.
o Bank of America – First Data
o Tempus Technologies
o Lifeboat Creative
• These service providers are required at least on an annual basis to provide evidence that they are PCI
compliant (based on their business function), and that they keep up with secure practices
surrounding their area of involvement with KTA.
KTA Approved POS Devices:
• All card holder transactions are used with only the following devices, these devices have been
approved by KTA management. See hardware spec sheets.
o IDTECH SecureKey M100/M130 encrypted keypad
o IDTECH SecureMOIR encrypted insertion readers
KTA Remote Access Policy:
• Users who require remote VPN access to the card holder environment are required to request
through the appropriate KTA channels, this will involve use of KTA’s ticketing system.
o Account expiration is determined at the time of creation (no greater than 90 days).
o Remote accounts become disconnected after a period of inactivity, this will require the remote
user to re-authenticate.
o Remote users authenticate to KTA’s network using 2-Factor Authentication.
KTA Audit Logging and Review Policy:
Security auditing must be enabled on the following components and systems. In addition, the clocks on these
systems must be synchronized through KTA’s internal NTP server.
• Webserver
• Firewall
• Physical access control system.
These logs must be maintained for 12 months with 3 months (90 days) readily accessible. Items that are logged
may include:
• User identification
• Type of Event
• Date and Time
• Success or failure indication
• Origination of event
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-10Roadside Toll Collection System RFP Attachment 6 – KTA Security Information Overview
• Name of affected data, system or resource.
All audit trails are protected and only viewable to those with a job-related need. Log data is backed up daily on all
systems. Certain systems utilized a FIM (File Integrity Monitor) to ensure that any changes to files is not only
logged but certain items generate real time alerting.
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-11Roadside Toll Collection System RFP Attachment 6 – KTA Security Information Overview
Incident Response Plan / Policy
Policy:
This policy defines procedures that allow the Kansas Turnpike Authority to respond quickly and adequately to
Information Technology security incidents.
Guidance:
The following regulations, guidance, and standards were considered as part of the development of this policy:
Network Security and addressing PCI DSS ver 3.2.1
Scope:
This policy applies to all systems that store, process, or transmit cardholder data. This includes all point-of-sale
devices.
Commentary:
As they pertain to Information Technology, security incidents are defined as events that interrupt normal
operating procedures and trigger some level of crisis or data compromise. Some examples of applicable incidents
could be:
• Attempted or successful network or computer penetration attempts
• An outbreak of a computer virus or other malicious software
• Any physical security breaches, to include point-of-sale devices
• Unexpected escalation of account privileges
• The appearance of unexpected network or other user accounts
• Any unauthorized access to cardholder data or systems
One of the primary purposes of this policy is to define primary responsibilities in the event of a suspected or
verified security incident. It is not possible to define all aspects of every possible security incident and every step
to be taken by the organization in the event of any incident. However, basic steps can be defined, including who
will make which major decisions as the organization responds and recovers.
Please find the individuals listed below with security breach response responsibilities:
• Nick Parrott (Team Lead) – Network and Security manager - Responsible for communication and
strategies to neutralize any incident in a timely and efficient manner.
• Tim Means (Computer System Administrator) - Responsible for anything to do with FW related
breaches, end user terminals / systems.
• Blake Butterworth (App/Dev Manager) – Responsible for any breaches regarding website security,
online customer applications, etc.
This policy documents the overall planning and responsibility for incident response.
Incident Response Team – Roles and Communication Strategy:
Identify and document Incident Response Team members and their emergency contact information. Make this
contact information available to each team member when at work or away from work. Assign a Primary Team
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-12Roadside Toll Collection System RFP Attachment 6 – KTA Security Information Overview
Leader who is responsible for overall incident response and a Secondary Team Leader who functions as Team
Leader in the absence of the Primary Leader.
Include in the Incident Response Team representation from the following areas:
• Bruce Meisch – Director of Technology
• Nick Parrott (Team Lead/Primary) – Network and Security Manager
• Tim Means (Secondary) – Computer System Administrator
• Blake Butterworth – App Development Manager
External security consultants as determined necessary by senior management
• OPTIV Security
Ensure team membership includes personnel that:
• Have appropriate training to investigate and report findings.
• Have access to backup data and systems, an inventory of all approved hardware and software, and
monitored access to systems (as appropriate).
• Have appropriate authority and/or access to senior management for timely approval of incident-
related decisions.
Availability:
Personnel designated as part of the incident response team must be available for incident monitoring and
response at all times.
Monitoring will include, as appropriate:
• Evidence of unauthorized activity
• Detection of unauthorized access points
• Critical IDS alerts
• Reports of unauthorized critical system or content file changes
Coverage:
Coverage of systems included in this response plan will extend to all critical systems within the in-scope
environment.
Incident Response Training, Testing, and Documentation:
Perform appropriate training of the Incident Response Team periodically. Design training and testing to include
team orientation (review of responsibilities and interaction with personnel and appropriate outside agencies,
such as law enforcement), as well as scenario-driven discussions in which various types of incidents, including
external service providers, are reviewed and evaluated. Document incident response tests in the same manner as
real incidents (as described below). Document suspected or verified security incidents that invoke the
involvement of the Incident Response Team.
Service Providers:
Upon notification of a security incident from a service provider, follow the same procedures as those involving
company-controlled systems and premises.
Notification Checklist:
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-13Roadside Toll Collection System RFP Attachment 6 – KTA Security Information Overview
In the event of a suspected security incident, the acting Team Leader will ensure that a Notification Checklist is
promptly started and is filled out as completely as possible. The notification checklist will include the following, at
a minimum:
• Upon notification of a breach, ensure notification to the payment brand.
• Ensure legal requirements are considered to ensure customer reporting is completed, if required
Incident Response Procedures:
As soon as the checklist is completed, the acting Team Leader will determine whether an incident has occurred. If
an incident has occurred, the Team Leader will call the Incident Response Team together to begin the process of
investigation, response, and restoration. At this point, the Team Leader will contact external security
professionals if deemed necessary.
Response Strategy / Coverage and Response for all Critical System Components:
Immediately following determination of a security incident, the acting team leader will convene the Incident
Response Team. As a team, develop a response strategy to be approved by senior management. Such a strategy
normally includes:
• Isolation of compromised systems or enhanced monitoring of intruder activities
• Search for additional compromised systems
• Collection and preservation of evidence
• Reaching out to technical experts, if needed
Notification of Authorities and/or Customers (Requirements for reporting compromises):
Based on evaluation of the notification checklist and subsequently collected information, the Incident Response
Team will determine if sensitive customer information has been accessed in an unauthorized fashion. For the
purpose of this plan, "sensitive customer information" has been defined as any of the following information:
• A customer's name
• A customer's address
• A customer's telephone number
• In conjunction with any of the following customer information:
• A personal identification number or password that would permit access to the customer's account
• In the event that a card provider has specific terms, incident response procedures those must be
included in the restoration strategy.
Restoration Strategy:
As the response strategy is developed, appropriate restoration procedures are approved by senior management
and implemented. These should address the following:
• Elimination of an intruder's means of access
• Freezing or closing affected customer accounts when applicable
• Restoration of systems, programs, and data
• Internal communication/training as appropriate
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 6-14Roadside Toll Collection System RFP Attachment 7 – Kansas License Plate Guide
Attachment 7
Kansas License Plate Guide
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 7VERSION 3.0
2020
KANSAS LICENSE PLATE GUIDE
EMBOSSED & DIGITAL LICENSE PLATES
PREPARED BY: DIVISION OF VEHICLES
VEHICLE SERVICESConfidential
KANSAS LICENSE PLATE GUIDE
The Division of Vehicles implemented a new manufacturing process and delivery method for Kansas license plates. The change
became effective August 1, 2018 for license plates issued to Apportioned vehicles engaged in interstate commerce. For all passenger
vehicles and intrastate Commercial vehicles, the change became effective August 15, 2018. In addition to the embossed and digital
plates, the K-State, Ag in the Classroom, KCC Equipment Tag, Personalized, and Disabled Personalized plates all have new
designs for 2020. Also for 2020, Dealer plate text is now green and a new Rental Fleet plate was added by the legislature.
NOTE: Although limited, there are some old Capital/Dome embossed plates still on the road. They can be Standard,
Standard Disabled, Amateur Radio, Special Interest and Street Rod in design. These are rare and are slowly being
replaced.
CURRENT PLATE IMAGES
Title Note Embossed Digital New Digital 2020
renewals &
duplicate
Baker University replacements
only
Benedictine College
Emporia State
University
Fort Hays State
University
2020 Kansas License Plate Guide 1Confidential
Title Note Embossed Digital New Digital 2020
Friends University
motorcycle
Kansas State
plates
University
available
renewals &
Ottawa University duplicate
replacements
only
Pittsburg State
University
motorcycle
University of
plates
Kansas
available
Washburn
University
2020 Kansas License Plate Guide 2Confidential
Title Note Embossed Digital New Digital 2020
Wichita State
University
Agriculture in the
Classroom
Amateur Radio Dark Blue or
Operator Black letters
Autism Awareness Digital Only
Breast Cancer
Research
2020 Kansas License Plate Guide 3Confidential
Title Note Embossed Digital New Digital 2020
Children’s Trust
Fund
Digital Only
City of Wichita black letters
Limited Edition
City of Wichita white letters Digital Only
motorcycle
Donate Life plates
available
Ducks Unlimited
2020 Kansas License Plate Guide 4Confidential
Title Note Embossed Digital New Digital 2020
Eisenhower
Foundation
motorcycle
Emergency Medical
plates
Services
available
motorcycle
Families of the
plates
Fallen
available
motorcycle
Firefighter plates
available
motorcycle
Gold Star Mother plates
available
Horse Council
2020 Kansas License Plate Guide 5Confidential
Title Note Embossed Digital New Digital 2020
Foreign
Organization
motorcycle
I’m Pet Friendly plates
available
motorcycle
In God We Trust plates
available
Masonic Lodge
Shriner’s
Support the Arts
2020 Kansas License Plate Guide 6Confidential
Title Note Embossed Digital New Digital 2020
Special Olympics Digital Only
motorcycle
Antique1 – current
plates
issue
available
Antique2 – Original plate
previously issued only
motorcycle
Personalized
plates
Antique
available
1
Vehicle must be at least 35 model years old or older, and not be altered or modified from the original manufacturer’s model, except for safety components.
2
These antique plates are still valid, however Kansas no longer issues the blue and yellow plates.
2020 Kansas License Plate Guide 7Confidential
Title Note Embossed Digital New Digital 2020
Original plate
Special Antique3
only
motorcycle
Special Interest4 plates
available
motorcycle
Street Rod 5
plates
available
Cong. Medal of
Honor
3
Kansas antique vehicle owners are allowed to display a Kansas issued license plate that corresponds to the vehicle year of the antique, providing the vehicle and license plate are at least thirty-five years old. Example: 1956
Ford with Kansas License plate initially issued in 1956 will have a “56” on the plate. The plate used must not be altered or defaced and must be as originally issued by the State of Kansas.
4
Motor vehicle more than 20 years of age and which has not been altered or modified from the original manufacturer’s specifications except to assure normal running operation or to meet specific safety inspection requirements
on original equipment, or both.
5
Manufactured in 1949 or before that has been altered or modified. The main component of a street rod that must still be part of the original vehicle is the body, i.e. the body must be all original steel. “Kit Cars” do not qualify
as street rod vehicles.
2020 Kansas License Plate Guide 8Confidential
Title Note Embossed Digital New Digital 2020
Ex-Prisoner of War
motorcycle
National Guard plates
available
Pearl Harbor
Survivor
motorcycle
Purple Heart plates
available
motorcycle
U.S. Veteran plates
available
motorcycle
Vietnam Veteran plates
available
2020 Kansas License Plate Guide 9Confidential
Title Note Embossed Digital New Digital 2020
motorcycle
Enduring Freedom plates Digital Only
available
motorcycle
Iraqi Freedom plates Digital Only
available
motorcycle
Desert Storm plates Digital Only
available
motorcycle
Korean War Veteran plates Digital Only
available
motorcycle
Disabled Veteran plates
available
2020 Kansas License Plate Guide 10Confidential
Title Note Embossed Digital New Digital 2020
Motorcycle
Standard and motorized
current issue bicycle plates
available
motorcycle
Standard Disabled
plates
current issue
available
motorcycle
2015 Personalized plates
available
motorcycle
2015 Disabled
plates
Personalized
available
motorcycle
2020 Personalized plates
available
motorcycle
2020 Disabled
plates
Personalized
available
2020 Kansas License Plate Guide 11Confidential
Title Note Embossed Digital New Digital 2020
City/County/School
District/Township6
motorcycle
Dealer
plates Digital Only
available
motorcycle
Dealer Lender plates Digital Only
available
Dealer Salvage Digital Only
Dealer Wholesale Digital Only
6
Decals at the bottom read either: City, County, School District or Township. A0000 or 00000 combinations available.
2020 Kansas License Plate Guide 12Confidential
Title Note Embossed Digital New Digital 2020
Dealer
Manufactured Home Digital Only
Dealer Trailer Digital Only
Dealer D-Hauler Digital Only
motorcycle
Dealer Full Use plates Digital Only
available
Dealer Drive Away Digital Only
Rental Car Fleet Digital Only
2020 Kansas License Plate Guide 13Confidential
Title Note Embossed Digital New Digital 2020
Highway Patrol
Highway Patrol –
Capitol Police and
Motor Carrier
Enforcement
KCC Equipment Digital Only
motorcycle
Kansas Official plates
available
motorcycle
plates,
renewals &
Kansas Official duplicate
replacements
only
Motor Carrier
Apportioned Trailer
Permanent
2020 Kansas License Plate Guide 14Confidential
Title Note Embossed Digital New Digital 2020
Motor Carrier
Apportioned Truck
Motor Carrier
Commercial
Motor Carrier
Custom Harvester
Motor Carrier Fleet
Motor Carrier
Utility Trailer
2020 Kansas License Plate Guide 15Roadside Toll Collection System RFP Attachment 8 – Implementation Responsibility Matrix
Attachment 8
Implementation Responsibility Matrix
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 8Roadside Toll Collection System RFP Attachment 8 – Implementation Responsibility Matrix
Implementation Responsibility Matrix
Work Item:
1 = Design
2 = Furnish
3 = Install
Responsibility:
A = Primary Responsibility – The party has the primary responsibility for completion of the item.
B = Support / Coordination – The party provides either support or coordination to assist the primary
responsible party with successful completion of the item.
C = No Responsibility – The party has no action for the item.
RTCS
Item Element / Task / Component / Sub-system Description KTA
Contractor
1 2 3 1 2 3
Roadside Toll Inf rastructure Design and Construction
Oversight of all aspects of toll site construction to ensure all
1. A A A B C C
parties are coordinated and performing to expectations.
2. Selection of Toll Zone locations. A A A C C C
Site work, including earthwork, grading, paving, barrier,
3. A A A C C C
retaining walls, and drainage throughout the corridor.
4. Toll gantries and foundations. A A A B C C
5. RTCS PoP toll equipment buildings. A A A B C C
Conduit, junction boxes, pull boxes, etc. from toll equipment
6. buildings/vaults and cabinets to toll gantries, including A A A B B C
loop/lead-in boxes.
All WAN network communications equipment and wiring to
the Tolling Locations demark location at each PoP for the
7. A A A B C B
RTCS and to the primary and secondary location for the
RSS.
Electrical wiring and network communications from
demarcation point in toll equipment PoP buildings to
8. B C B A A A
overhead toll equipment, in-pavement toll equipment and
DVAS cameras.
Power and utility services to all Tolling Locations, including
9. utility power, backup generator, automatic transfer switch A A A C C C
and UPS installation.
10. Maintenance of Traf fic (MOT) during civil construction. A A A C C C
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 8 - 1Roadside Toll Collection System RFP Attachment 8 – Implementation Responsibility Matrix
RTCS
Item Element / Task / Component / Sub-system Description KTA
Contractor
1 2 3 1 2 3
Roadside Toll Collection System (RTCS)
RTCS Design, Installation Drawings, and System
11. Documentation for Roadside and Roadway Support C C C A A A
Systems.
RTCS equipment enclosures in the PoP buildings, as
12. needed. (No equipment cabinets are expected outside of the B C C A A A
PoP buildings or on the toll gantry structure.)
Def ine the tolling business rules and tolling policies for the
13. A A A B B B
turnpike.
Equipment brackets and mounting hardware for overhead
14. toll equipment on toll gantries, for both existing and newly B C C A A A
constructed gantries.
All RTCS equipment and mounting hardware, including the
15. C C C A A A
AVI readers/antennas.
KTA Interoperable Partner compatible tri-protocol readers
16. and Automatic Vehicle Identification (AVI) System as B C C A A A
Approved by KTA.
All RTCS equipment installations, terminations, and
17. C C C A A A
connections, including DVAS.
18. Any required in-pavement toll equipment. B C C A A A
Automatic Vehicle Detection and Classification (AVDC)
19. C C C A A A
System.
Digital Video Audit System (DVAS) with overview cameras of
20. C C C A A A
each RTCS Toll Zone.
Image Capture and Processing Systems (ICPS) including
21. f ront & rear color cameras, lighting, lighting sensors, and C C C A A A
accurate and timely image processing.
Wrong Way Vehicle detection at existing and new Tolling
Locations, integrated with the RTCS for sending real-time
22. C C C A A A
alerts, images, and video and interfaces to Wrong Way signs
on the roadway.
Wrong Way Vehicle detection signs at existing and new
23. A A A C C C
Tolling Locations.
Wrong Way Vehicle detection communication tie-ins at
24. B C C A A A
existing and new Tolling Locations.
Management of Traffic (MOT) during RTCS installation and
25. B B B A A A
maintenance.
Physical access control, fire detection, and security CCTV at
26. A A A C C C
PoP locations.
Roadside Support Systems (RSS)
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 8 - 2Roadside Toll Collection System RFP Attachment 8 – Implementation Responsibility Matrix
RTCS
Item Element / Task / Component / Sub-system Description KTA
Contractor
1 2 3 1 2 3
Facilities for Primary and Secondary (Disaster Recovery)
27. A A A C C C
data center sites for Roadway Support Systems.
WAN Network communications equipment (including all
28. switches) for Roadway Support Systems to the WAN A A A C C C
demark.
Roadway Support Systems network equipment (behind the
29. WAN demark), computer servers, and software in primary C C C A A A
and DR locations.
30. Interf ace between RTCS and the KTA CSC Back Office. B B B A A A
31. Digital Video Audit Subsystem C C C A A A
Maintenance Online Management System (MOMS),
32. integrated with the RTCS f or sending real-time alerts and for C C C A A A
logging maintenance records.
Accurate and timely License Plate (LP) values, state
jurisdictions, and plate types (if applicable) using OCR/ALPR
33. C C C A A A
f or all AVI and image-based transactions and images
presented to KTA CSC Back Office.
Physical access control, fire detection, and security CCTV at
34. A A A C C C
primary and DR data center locations.
35. Power and HVAC at primary and DR data center locations. A A A C C C
Other Responsibilities
36. Incident Management services for the turnpike. A A A C C C
37. Maintain the roadway and roadside structures. A A A C C C
38. Onsite Maintenance of the Roadway Toll Collection System. A A A C C C
Remote Maintenance of the Roadway Toll Collection
39. C C C A A A
System.
Responsible for issuing AVI transponders, for providing
account maintenance services, and for providing the
40. transponder status list for all KTA and compatible A A A B B B
transponders via Bulk and Incremental TVL downloads to
the RTCS.
Responsible for presenting fully-formed toll transactions
41. including AVI and image-based transactions from the RTCS C C C A A A
to the RSS and to the KTA CSC Back Office.
Responsible for processing all fully-formed toll transactions
42. including AVI and image-based transactions presented from A A A B C C
the RTCS.
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 8 - 3Roadside Toll Collection System RFP Attachment 8 – Implementation Responsibility Matrix
RTCS
Item Element / Task / Component / Sub-system Description KTA
Contractor
1 2 3 1 2 3
Responsible for processing the posting disposition from the
43. KTA Back Office for all toll transactions sent to the KTA Back B C C A A A
Of f ice for reporting and reconciliation purposes.
Responsible for providing all collection efforts for all image-
based toll transactions and associated selected images
44. presented from the RTCS including generating and mailing A A A C C C
“image-based transaction” invoices, processing payments
and dispute resolution.
Coordination and suspension of tolls during incidents per the
45. A A A C C C
KTA-approved operating procedures.
Responsible for immediately updating MOMs as devices are
46. added or taken out of service on KTA facilities during the B B B A A A
Implementation Phase.
Responsible for immediately updating MOMs as devices are
47. added or taken out of service on KTA facilities during the A A A B B B
Maintenance Phase.
Responsible for providing secure access to the RTCS f rom
48. B B B A A A
KTA workstations and laptops.
Wide Area Network (WAN) physical network from PoP to
49. PoP and from each PoP to the KTA Primary and Secondary A A A B C B
data centers.
Maintenance of conduit, junction boxes, pull boxes, etc. for
50. A A A B C B
all network civil infrastructure.
51. FCC licenses and permitting for the RTCS at each Toll Zone A A A B B B
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 8 - 4Roadside Toll Collection System RFP Attachment 9 – Special Instructions – Traffic Control Restrictions
Attachment 9
Special Instructions – Traffic Control
Restrictions
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 9Roadside Toll Collection System RFP Attachment 9 – Special Instructions – Traffic Control Restrictions
KANSAS TURNPIKE AUTHORITY
PROJECT SPECIAL PROVISION
TO THE
STANDARD SPECIFICATIONS
EDITION OF 2015
SPECIAL INSTRUCTIONS – TRAFFIC CONTROL RESTRICTIONS
1.0 KANSAS TURNPIKE MAINLINE LANE CLOSURES I-70 (MM 183 to MM 224):
Mainline single lane closures on the I-70 corridor from MM 183 to MM 224, will not be allowed before 9:00
AM and must be removed before 3:30 PM. All lane closures must be removed on Fridays, by 12:00 Noon.
When working in the six lane segment during this time period the left lane may be closed while leaving both
the middle and right lane open, or the right lane may be closed leaving the middle and left lane open.
Work in the middle lane shall require two lanes of closure and will only be allowed during Weekday Off-Peak
Hours as defined in Section 3.0. When working in the middle lane, the Contractor will have the option of
closing the left lane and middle lane or the middle lane and right lane.
2.0 KANSAS TURNPIKE MAINLINE LANE CLOSURES I-35, I-335 and I-470 (MM 0 to MM 183):
Mainline lane closures on all other corridors, (I-35, I-335 and I-470 from MM 0 to MM 183), will not be allowed
before 7:00 AM and must be removed before 7:00 PM. The Engineer has final discretion in adjusting these
hours if conditions, (in his sole opinion), warrant doing so.
3.0 WEEKDAY OFF-PEAK HOUR WORK:
Weekday off-peak hours are defined as follows: 7:00 P.M. to 6:00 A.M.
Weekday off-peak hour work and hours must be pre-approved by the Engineer. The Contractor is required to
request weekday off-peak hour work and hours, a minimum of 48 hours in advance. The Engineer may restrict
weekday off-peak hour work due to special events that may adversely affect traffic and cause disruption to KTA
customers. It is the sole opinion of the Engineer when weekday off-peak hour work will be restricted.
Work to set up traffic control for a lane closure during weekday off-peak hour work is not allowed to begin until
7:00 P.M. All Traffic Control for lane closures during off-peak hour work must be removed before 6:00 A.M.
4.0 SATURDAY OFF-PEAK HOUR WORK:
Saturday off-peak hour work and hours must be pre-approved by the Engineer. The Contractor shall request
Saturday off-peak hour work and hours a minimum of 48 hours in advance. The Engineer may restrict Saturday
off-peak hour work due to special events that may adversely affect traffic and cause disruption to KTA
customers. It is the sole opinion of the Engineer when Saturday off-peak hour work will be restricted. No
Sunday Work Will Be Allowed.
5.0 CONSTRUCTION VEHICLE MOVEMENTS WITHIN PROJECT LIMITS:
All Contractor and construction vehicles are prohibited from making turnarounds through the median barrier
wall. Turnarounds shall be made at Service Areas and Interchanges ONLY! If the contractor or any
subcontractor is observed making a turnaround through the median barrier wall, the project engineer(s) shall
have discretion to notify the General Contractor that all work, regardless of who violated this rule, is immediately
suspended for the remainder of that day. No allowance shall be made in work schedule related penalties for this
lost time.
6.0 TRAFFIC CONTROL SIGNS AND DEVICES:
The speed limit through the construction zone will be reduced to 65 mph. The Contractor shall use conical
delineators on this project for all traffic control delineation. The Contractor shall be responsible for covering all
Kansas Turnpike Authority (KTA) March 18, 2021 Attachment 9-1You can also read
