Information Technology and Security Policy
To establish a Countywide Information Technology and Security program supported by countywide policies in order to assure appropriate and authorized access, usage and the integrity of County information and information technology assets.
Comprehensive Computer Data Access and Fraud Act, California Penal Code 502.
Information and the systems, networks, and software necessary for processing are essential County assets that must be appropriately protected against all forms of unauthorized access, use, disclosure, or modification. Security and controls for County information and associated information technology (I/T) assets which are owned, managed, operated, maintained, or in the custody or proprietorship of the County or non-County entities must be implemented to help ensure:
Privacy and confidentiality
The County Technology and Security Policies will establish the minimum standard to which all departments must adhere. Departments may, at their discretion, enhance the minimum standard based on their unique requirements.
Departments, Commissions, Board and Offices
Department heads are responsible for ensuring appropriate I/T use and security within the Department. Departmental management is responsible for organizational adherence to countywide technology and security policies. They must ensure that all employees and other users of departmental information technology resources be made aware of those policies and that compliance is mandatory. They must also develop organizational procedures to support policy implementation.
The Department Head will ensure the designation of an individual to be responsible for coordinating appropriate use and information security within the Department.
Chief Information Office (CIO)
The Office of the CIO will ensure the development of countywide information technology policies that, in addition to security will specify the appropriate use of information technology (I/T) resources for internal and external activities, e-mail and other communications as well as Internet access and use. When approved, these policies will be published and made available to all users of County I/T resources to ensure their awareness and compliance.
Chief Information Security Officer (CISO)
The Chief Information Security Officer reports to the Chief Information Officer (CIO) and is responsible for the I/T Security Program for the County. Responsibilities include:
Developing and maintaining the information security strategy for the County
Chairing the Information Security Steering Committee (ISSC)
Providing information security related technical, regulatory, and policy leadership
Facilitating the implementation of County information security policies
Coordinating information security efforts across departmental lines
Leading information security training and education efforts
Directing the Countywide Computer Emergency Response Team (CCERT)
Departmental Information Technology Management/CIO will:
Manage information technology assets within the Department
Be responsible for any departmental information technology and security policy
Ensure that systems are implemented and configured to meet County information security standards
Ensure that systems are maintained at current critical security patch levels
Implement technology-based services that adhere to the intent and purpose of all information technology use and security policies, standards and guidelines
Individual designated as Security Coordinator or Departmental Information Security Officer (DISO) will:
Manage security of information technology assets within the Department
Assist in the development of departmental information technology security policy
Represent the Department at the Information Security Steering Committee (ISSC)
Coordinate the Departmental Computer Emergency Response Team (DCERT)
Employees and Other Authorized Users:
Employees and other department authorized users are responsible for acknowledging and adhering to County information technology use and security policies. They are responsible for protection of County information assets for which they are entrusted and using them for their intended purposes. Employees and authorized non-County users will be required to sign an “Acceptable Use Agreement” as a condition of being granted access to County I/T systems.
Information Security Steering Committee (ISSC)
The Information Security Steering Committee is established to be the coordinating body for all County information security-related activities and is composed of the Departmental Information Security Officers (DISO) or designated representative.
ISSC responsibilities include:
Assisting the CISO in developing, reviewing, and recommending information security policies
Identifying and recommending industry best practices for information security
Developing, reviewing and recommending countywide standards, procedures and guidelines
Coordinating inter-departmental communication and collaboration on security issues
Coordinating countywide I/T security education and awareness
Requests for exceptions to this Board policy must be reviewed by the CIO and approved by the Board of Supervisors. Departments requesting exceptions should provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the department, initiatives, actions and a time frame for achieving the minimum compliance level with the policies set forth herein. The CIO will review such requests, confer with the requesting department and place the matter on the Board's agenda along with a recommendation for Board action.
Chief Information Office (CIO)
DATE ISSUED/SUNSET DATE
Issue Date: July 13, 2004
Sunset Date: July 13, 2008
Review Date: August 25, 2008
Sunset Date: July 13, 2012
Review Date: July 19, 2012
Sunset Date: January 13, 2013
Review Date: June 27, 2013
Sunset Date: September 30, 2013
Review Date: September 18, 2013
Sunset Date: January 30, 2014