Information and the systems, networks, and software necessary for processing are essential County assets that must be appropriately protected against all forms of unauthorized access, use, disclosure, or modification. Security and controls for County information and associated information technology (I/T) assets which are owned, managed, operated, maintained, or in the custody or proprietorship of the County or non-County entities must be implemented to help ensure:

The County Technology and Security Policies will establish the minimum standard to which all departments must adhere. Departments may, at their discretion, enhance the minimum standard based on their unique requirements.

Departments, Commissions, Board and Offices

Department heads are responsible for ensuring appropriate I/T use and security within the Department. Departmental management is responsible for organizational adherence to countywide technology and security policies. They must ensure that all employees and other users of departmental information technology resources be made aware of those policies and that compliance is mandatory. They must also develop organizational procedures to support policy implementation.

The Department Head will ensure the designation of an individual to be responsible for coordinating appropriate use and information security within the Department.

Chief Information Office (CIO)

The Office of the CIO will ensure the development of countywide information technology policies that, in addition to security will specify the appropriate use of information technology (I/T) resources for internal and external activities, e-mail and other communications as well as Internet access and use. When approved, these policies will be published and made available to all users of County I/T resources to ensure their awareness and compliance.

Chief Information Security Officer (CISO)

The Chief Information Security Officer reports to the Chief Information Officer (CIO) and is responsible for the I/T Security Program for the County. Responsibilities include:

Developing and maintaining the information security strategy for the County

Chairing the Information Security Steering Committee (ISSC)

Providing information security related technical, regulatory, and policy leadership

Facilitating the implementation of County information security policies

Coordinating information security efforts across departmental lines

Leading information security training and education efforts

Directing the Countywide Computer Emergency Response Team (CCERT)

Departmental Information Technology Management/CIO will:

Manage information technology assets within the Department

Be responsible for any departmental information technology and security policy

Ensure that systems are implemented and configured to meet County information security standards

Ensure that systems are maintained at current critical security patch levels

Implement technology-based services that adhere to the intent and purpose of all information technology use and security policies, standards and guidelines

Individual designated as Security Coordinator or Departmental Information Security Officer (DISO) will:

Manage security of information technology assets within the Department

Assist in the development of departmental information technology security policy

Represent the Department at the Information Security Steering Committee (ISSC)

Coordinate the Departmental Computer Emergency Response Team (DCERT)

Employees and Other Authorized Users:

Employees and other department authorized users are responsible for acknowledging and adhering to County information technology use and security policies. They are responsible for protection of County information assets for which they are entrusted and using them for their intended purposes. Employees and authorized non-County users will be required to sign an “Acceptable Use Agreement” as a condition of being granted access to County I/T systems.

Information Security Steering Committee (ISSC)

The Information Security Steering Committee is established to be the coordinating body for all County information security-related activities and is composed of the Departmental Information Security Officers (DISO) or designated representative.

ISSC responsibilities include:

Assisting the CISO in developing, reviewing, and recommending information security policies

Identifying and recommending industry best practices for information security

Developing, reviewing and recommending countywide standards, procedures and guidelines

Coordinating inter-departmental communication and collaboration on security issues

Coordinating countywide I/T security education and awareness

Policy Exceptions

Requests for exceptions to this Board policy must be reviewed by the CIO and approved by the Board of Supervisors. Departments requesting exceptions should provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the department, initiatives, actions and a time frame for achieving the minimum compliance level with the policies set forth herein. The CIO will review such requests, confer with the requesting department and place the matter on the Board's agenda along with a recommendation for Board action.