Nevada Administrative Code Chapter 242 - Information Services
Background
NAC Chapter 242 governs:
Management of state information technology systems
Security and confidentiality of data
Access to and use of information services
Responsibilities of state agencies and personnel
Enforcement and penalties for violations
The Nevada Department of Administration – Information Technology Services Division (ITSD) enforces these rules.
Case 1: Unauthorized Access to State Data
Issue
An employee accessed confidential state records without authorization.
Facts
Employee in a government agency viewed social security numbers and financial records beyond their work duties.
Logs showed repeated access over several weeks.
Rules Applied
NAC 242.200 – Authorized use of information systems
NAC 242.210 – Unauthorized access prohibited
Board’s Analysis
Employees are granted access strictly according to job duties.
Unauthorized access is a breach of trust and state security policies.
Outcome
Employee suspended and later terminated
Mandatory security training required for all department staff
Internal audit initiated to check for similar breaches
Key Lesson
Access is role-specific; exceeding it can result in serious disciplinary action.
Case 2: Data Breach Due to Poor Security Practices
Issue
A state agency suffered a data breach because of inadequate cybersecurity controls.
Facts
Sensitive citizen information was exposed via unencrypted databases.
No multi-factor authentication (MFA) was implemented.
Rules Applied
NAC 242.150 – Security standards for state information systems
NAC 242.160 – Protection of sensitive data
Board’s Analysis
Agencies are required to implement safeguards to prevent unauthorized access.
Failure to follow minimum security standards constitutes a violation of NAC 242.
Outcome
Agency fined
Required to implement encryption, MFA, and staff cybersecurity training
Periodic security audits mandated
Key Lesson
Data security standards must be actively maintained to avoid breaches and penalties.
Case 3: Misuse of State Information Systems for Personal Gain
Issue
An employee used state IT resources to conduct private business.
Facts
Employee ran a side business using state computers and network.
Monitored logs revealed off-hours activity unrelated to work duties.
Rules Applied
NAC 242.220 – Prohibition on personal use of state information services
NAC 242.200 – Authorized use limitations
Board’s Analysis
Use of state resources for personal benefit violates trust and administrative rules.
Even if personal use did not cause direct financial harm, it constitutes misuse.
Outcome
Employee reprimanded
Required to reimburse costs related to resource use
Access privileges restricted pending compliance review
Key Lesson
State IT resources are for official purposes only; misuse is subject to discipline.
Case 4: Failure to Report Security Incidents
Issue
An agency employee did not report a ransomware attempt affecting state servers.
Facts
Suspicious activity detected by colleagues but not escalated.
Delay in reporting allowed partial system encryption and service disruption.
Rules Applied
NAC 242.170 – Incident reporting requirements
NAC 242.160 – Safeguarding data
Board’s Analysis
Prompt reporting is required to mitigate damage.
Failure to report a security incident is treated as negligence under NAC 242.
Outcome
Employee received formal reprimand
Agency required to revise incident response procedures
Mandatory cybersecurity awareness training for all staff
Key Lesson
Incident reporting is critical; delays exacerbate risks and liability.
Case 5: Unauthorized Software Installation
Issue
Employee installed unauthorized software on state servers.
Facts
Software contained vulnerabilities and was not approved by ITSD.
Installation created security gaps that could have exposed sensitive information.
Rules Applied
NAC 242.210 – Prohibition of unapproved software
NAC 242.150 – Security and system integrity standards
Board’s Analysis
Agencies must control software installations to prevent malware or system compromise.
Unauthorized installations violate both security and operational rules.
Outcome
Employee suspended
Unapproved software removed
Agency instructed to enforce stricter change management controls
Key Lesson
All software installations on state systems require formal approval to maintain security.
Case 6: Sharing State Data with External Parties Without Authorization
Issue
Agency staff shared confidential citizen data with contractors without proper authorization.
Facts
Personal data, including addresses and social security numbers, was transmitted to a private vendor.
No data sharing agreement or approval from ITSD was obtained.
Rules Applied
NAC 242.160 – Confidentiality and protection of information
NAC 242.230 – Third-party data sharing controls
Board’s Analysis
Unauthorized data sharing exposes citizens to identity theft and breaches trust.
Any external sharing requires proper contracts and approvals.
Outcome
Staff reprimanded
Vendor required to return or securely destroy data
Policy review and mandatory compliance training
Key Lesson
External data sharing requires authorization and protective measures.
Case 7: Negligent Handling of Access Credentials
Issue
Employee lost login credentials, allowing potential unauthorized access.
Facts
Login credentials written on a sticky note left at workstation.
Could have been used to access sensitive state databases.
Rules Applied
NAC 242.150 – Security and password management
NAC 242.200 – Authorized access rules
Board’s Analysis
Negligent handling of credentials violates minimum security standards.
Preventive measures, such as secure password storage, are required by NAC 242.
Outcome
Employee retrained on credential security
Agency implemented stricter password and access policies
Incident logged for monitoring
Key Lesson
Credential security is essential; negligence can have serious consequences.
Overall Themes from NAC 242 Cases
Authorized use only: Employees must only access systems and data needed for their role.
Data security and confidentiality: Protecting sensitive information is mandatory.
Incident reporting and mitigation: Prompt reporting prevents escalated damage.
System integrity: Unauthorized software and credential mismanagement are violations.
Personal use restrictions: State IT resources are strictly for official purposes.
RELATED Blog
comments