Reference #: ITD-SEC-6.2
Issue #: 2
Revision Date: March 6, 2014
Table of Contents
This policy applies to
Roles and Responsibilities
All agencies and entities governed by the overarching Enterprise Information Security Policy must adhere to requirements of this supporting policy.
- Executive Department Agencies.
- Third parties with whom Executive Department Agencies contract for the provision of web services such as hosting and development services.
- Non-Executive Department entities whose sites become part of Mass.gov through portalization.
This policy articulates the requirements that agencies must adhere to when considering the use of either Session Cookies or Persistent Cookies as part of their web site or web-based application. The requirements articulated in this policy are in addition to all other applicable Enterprise Policies and Standards that govern an agency’s technical environment.
1. General Requirements for Session Cookies and Persistent Cookies -
Agencies must comply with all applicable security and privacy standards governing the collection and use of tracking information when using any type of cookie on their web sites for purposes of collecting visitor information.
Agencies must adhere to all relevant laws, regulations and policies including those designed to protect privacy governing the collection, use, retention, and safeguarding of any data gathered from users (web visitors), including but not limited to the following requirements as articulated in the Requirements for Agency Web-Site Privacy Policies:
1.2. Agencies must disclose the purpose of cookie usage and the information collected via session cookies and/or persistent cookies whichever are used within an agency’s web site.
1.3.2. Agencies must post clear and conspicuous notice on the Web site of the use of web tracking technologies.
1.3.3. Agencies must provide a clear and understandable means for a user to opt-out of being tracked and not discriminate against those users who decide to opt-out in terms of their access to information.
2. Requirements Specific to Persistent Cookies – The following requirements are specific to the use of persistent cookies:
2.1. Persistent cookies must be issued by a Commonwealth controlled domain.
2.2. Persistent cookies must have a reasonable expiration date (for example, 2 years).
2.3. Information/data collected via cookies stored on Commonwealth owned and managed systems must be destroyed when the purpose for which it was provided has been fulfilled unless required to retain for a longer period due to state or federal laws, regulations or policies of which the agency is subject.
2.4. Information/data collected via cookies stored on third party managed systems must be subject to reasonable controls to protect users’ privacy.
2.5. Permanent cookies issued by external parties other than software publishers providing contracted services are prohibited.
2.7. Agencies are prohibited from using persistent cookies under circumstances that do not adhere to the requirements of this policy without first obtaining a waiver.
3. Requirements for Seeking Waivers - Agencies with a business need to use persistent cookies in a manner that does not adhere to the requirements of this policy must seek a waiver from the Commonwealth Chief Information Officer. The waiver request must be sent to EOTSS' General Counsel.
The waiver request must be submitted by the Secretariat’s Chief Information Officer (SCIO) and Portal Advisory Board (PAB) representative including a copy of the submission to the agency’s Information Security Officer (ISO). If the request is initiated by a specific agency within a secretariat, the agency must work through the SCIO and PAB representative to obtain the waiver. Waivers should not be sought if highly sensitive information, including but not limited to personal information, will be exposed through the use of persistent cookies.
The waiver must include sufficient background information to enable the reviewing body to determine:
3.1. The intended use and purpose of the non-compliant persistent cookies;
3.2. Why the agency cannot meet its goals by complying with the policy.
3.3. The results of the agency’s documented privacy/security review, including the agency’s privacy risk and mitigation recommendations.
3.4.1. Waivers may be granted;
188.8.131.52. For a limited period of time until agency comes into compliance with existing policy or;
184.108.40.206. Permanently including a recommendation that specifics are incorporated into an updated enterprise policy as appropriate.
All agencies and entities governed by the overarching Enterprise Information Security Policy are subject to the referenced roles and responsibilities in addition to those specifically stated within this supporting policy. In addition, the roles and responsibilities associated specifically with implementation and compliance with this policy follow:
Agency chief information officers, webmasters, and legal counsel are collectively responsible for ensuring adherence to this policy.
Assistant Secretary for Information Technology
- The Assistant Secretary for Information Technology is responsible for the final decision regarding requests for persistent cookie waivers.
- Granted persistent cookie waivers will be signed off by the Assistant Secretary for Information Technology.
Secretariat Chief Information Officer (SCIO) and Agency Head
- SCIOs and Agency heads are responsible for exercising due diligence in adhering to the requirements contained in this policy.
- The SCIOs are responsible for submitting the persistent cookie waiver request and associated documentation.
- The Agency Heads are responsible for ensuring compliance with all applicable laws, regulations, and contractual obligations.
- The Agency Heads are responsible for signing and submitting the persistent cookie waiver request and associated documentation.
Secretariat or Agency Information Security Officer (ISO)
- Ensure that the goals and requirements of this policy are implemented and met.
Agency Legal Counsel
- EOTSS' General Counsel is responsible for reviewing all persistent cookie waiver grants or denials prior to finalization and submitting her analysis to the Commonwealth Chief Information Officer for review and final signoff.
Agency Web Masters
- Webmasters are responsible for conforming to this policy.
Enterprise Security Board (ESB)
- Recommend revisions and updates to this policy and related guidance.
- Advise the Assistant Secretary for Information Technology in developing security policies, standards and guidelines.
- Act as a consultative body to the Assistant Secretary for Information Technology.
The Executive Office of Technology Services and Security (EOTSS)
- Continuous testing and monitoring of the enterprise environment.
- Requesting statements of compliance from Agency ISOs including additional information as required by the Assistant Secretary for Information Technology.
- Providing ongoing education and outreach.
- After review of any related recommendations of the Enterprise Security Board, issue revisions and updates to this policy and related standards.
- The Director of Mass.gov will enforce this policy.
- Ensure that all IT systems and applications developed by or for Executive Department agencies or servicing Mass.gov portalized sites conform to this and other applicable Enterprise Information Technology Policies, Standards and Procedures promulgated by the Assistant Secretary for Information Technology. Non-conforming cookies cannot be used unless the purchasing entity and their contractor have jointly applied for and received in writing from the Assistant Secretary for Information Technology or designee, notice that a specified deviation will be permitted.
Key terms used in this policy have been provided below for your convenience. For a full list of terms please refer to the Executive Office of Technology Services and Security (EOTSS) web site where a full glossary of Commonwealth Specific Terms is maintained.
Session Cookie(s) - Also referred to as a transient cookie, a cookie that is erased when the user closes the Web browser. A session cookie may be created when you visit a site or portion of a site. The cookie exists for the duration of your visit. The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from the user’s computer. They typically will store information in the form of a session identification that does not personally identify the user. Cookies are files that a Web site can place on a computer. Depending on the settings in your browser, you may have the option to deny the session cookie; however, if you deny the cookie you may have trouble using the web site which relies on that cookie.
Web Analytic / Web Tracking Tools – Tools that measure, collect, analyze and report on the internet data for purposes of understanding and optimizing web usage. On-site web analytics measure a web visitor's journey once on the website and reports on web statistics and traffic. Such tools provide more robust reporting and collection of web usage data via the required use of permanent/persistent cookies.
|Next Review Date|
|12/22/15||Accessibility remediation – no content changes||2/22/16||1/1/17F|