Previous Pagehome pageNext Page

Policy #:

Title:

Effective Date:

6.100

Information Technology and Security Policy

07/13/04

PURPOSE
_______________________________________________________________

To establish a countywide information technology (IT) security program supported by countywide policies within the Board of Supervisors Policy Manual (Manual) chapter 6 including related policies in other chapters of the Manual (e.g., chapters 3, 7, and 9) to assure appropriate and authorized access, usage, and integrity of County IT resources.

 

REFERENCE
_______________________________________________________________

July 13, 2004, Board Order No. 10 – Board of Supervisors – Information Technology and Security Policies

Board of Supervisors Policy No. 6.101 – Use of County Information Technology Resources, including Agreement for Acceptable Use and Confidentiality of County Information Technology Resources (Acceptable Use Agreement), attached thereto

Board of Supervisors Policy No. 3.040 – General Records Retention and Protection of Records Containing Personal and Confidential Information

Comprehensive Computer Data Access and Fraud Act, California Penal Code Section 502

Health Insurance Portability and Accountability Act (HIPAA) of 1996

Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009

California Civil Code Section 1798.29

POLICY
_______________________________________________________________

Definitions

As used in this policy, the term “County IT resources” includes, without limitation, the following items, which are owned, leased, managed, operated, or maintained by, or in the custody of, the County or non-County entities for County purposes:

Computing devices, including, without limitation, the following:

o Desktop personal computers, including, without limitation, desktop computers and thin client devices

o Portable computing devices, including, without limitation, the following:

Portable computers, including, without limitation, laptops and tablet computers, and mobile computers that can connect by cable, telephone wire, wireless transmission, or via any Internet connection to County IT resources; and

Portable devices, including, without limitation, personal digital assistants (PDAs), digital cameras, smartphones, cell phones, pagers, wearable computers (also known as body-borne computers or wearables), and audio/video recorders; and

Portable storage media, including, without limitation, diskettes, tapes, DVDs, CDs, USB flash drives, memory cards, and external hard disk drives; and

o Multiple user and application computers, including, without limitation, servers

o Printing and scanning devices, including, without limitation, printers, copiers, scanners, and fax machines

o Network devices, including, without limitation, firewalls, routers, and switches.

Telecommunications (e.g., wired and wireless), including, without limitation, voice and data networks, voicemail, voice over Internet Protocol (VoIP), and videoconferencing

Software, including, without limitation, application software, operating systems software, and stored instructions

Information, including, without limitation, the following:

o Data

o Documentation

o Electronic communications (e.g., email, text message)

o Personal information

o Confidential information

o Voice recordings

o Photographs

o Electronically stored information (data that is created, altered, communicated and stored in digital form)

Services, including, without limitation, hosted services and County Internet services

Systems, which are an integration and/or interrelation of various components of County IT resources to provide a business solution (e.g., eCAPS).

As used in the above definition of “County IT resources”, the terms "personal information" and "confidential information" shall have the same meanings as set forth in Board of Supervisors Policy No. 3.040 – General Records Retention and Protection of Records Containing Personal and Confidential Information.

As used in this policy, the term “County IT user” includes any user (e.g., County employees, contractors, subcontractors, and volunteers; and other governmental staff and private agency staff) of any County IT resources, except that the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO) may mutually determine, in writing, at any time that certain persons and/or entities (e.g., general public) shall be excluded from the definition of “County IT user”.

As used in this policy, the term “County IT security” includes any security (e.g., appropriate use and protection) relating to any County IT resources.

As used in this policy, the term “County IT security incident” includes any actual or suspected adverse event (e.g., virus/worm attack, exposure, loss, or disclosure of personal information and/or confidential information, disruption of data or system integrity, and disruption or denial of availability) relating to any County IT security.

As used in this policy, the term “County Department” includes the following:

A County department

Any County commission, board, and office which the CISO and the CIO, in consultation with County Counsel, mutually determine, in writing, at any time shall be included in the definition of “County Department”

General

County IT resources are essential County assets that shall be appropriately protected against all forms of unauthorized access, use, disclosure, or modification. Security and controls for County IT resources shall be implemented to help ensure, without limitation:

Privacy and confidentiality

Information integrity, including, without limitation, data integrity

Availability

Accountability

Appropriate access, use, exposure, disclosure, and modification

Countywide County IT resources policies and countywide County IT security policies establish the minimum requirements to which County Departments shall adhere. Each County Department may, at its discretion, establish supplemental policies, standards, and procedures based on unique requirements of the County Department.

RESPONSIBILITIES
_______________________________________________________________

County Departments

The head of each County Department is responsible for ensuring County IT security, including, without limitation, within the County Department. Management of each County Department is responsible for organizational adherence to countywide County IT resources policies and countywide County IT security policies, operational and technical standards and procedures, as well as any additional policies, standards, and procedures established by the County Department. They shall ensure that all County IT users are made aware of those policies, standards, and procedures and that compliance is mandatory.

Chief Information Officer (CIO)

The Chief Information Office shall ensure the development of countywide County IT resources policies, standards, and procedures and countywide County IT security policies, standards, and procedures. These County IT security policies shall include, without limitation, the appropriate access, use, exposure, disclosure, and modification of County IT resources for internal and external activities (e.g., email and other electronic communications, and Internet access and use). When approved, these policies shall be published and made available to all County IT users to ensure their awareness and compliance.

Chief Information Security Officer (CISO)

The CISO shall report to the CIO and is responsible for the Countywide Information Security Program. The responsibilities of the CISO include, without limitation, the following:

Developing and maintaining the Countywide Information Security Strategic Plan

Chairing the Information Security Steering Committee (ISSC)

Providing County IT security-related technical, regulatory, and policy leadership

Facilitating the implementation of County IT security policies

Coordinating County IT security efforts across organizational boundaries

Leading County IT security training and education efforts

Directing the Countywide Computer Emergency Response Team (CCERT)

County Department IT Management / Departmental Chief Information Officer

The responsibilities of IT management and the departmental chief information officer of each County Department include, without limitation, the following:

Manage County IT resources within the County Department

Shall notify the CISO when a change to their DISO has occurred

Ensure the County Department adheres to countywide County IT security policies, standards, and procedures and any additional County IT security policies, standards, and procedures established by the County Department.

Ensure the County Department adheres to County IT security technical and operational standards and procedures

Ensure that County IT resources are implemented and configured to meet County IT security technical and operational standards and procedures

Ensure that County IT resources are maintained at current critical security patch levels

Implement IT-based services that adhere to all applicable County IT resources policies, standards, and procedures and County IT security policies, standards, and procedures

Departmental Information Security Officer (DISO)

The DISO shall report to the highest level of IT management or to executive management within the County Department. The responsibilities of the DISO include, without limitation, the following:

Manage security of County IT resources within the County Department

Assist in the development of County Department IT security policies

Regularly represent the County Department at the ISSC meetings and related activities

Lead the Departmental Computer Emergency Response Team (DCERT)

Ensure the County Department is regularly represented at the CCERT meetings and related activities

Ensure the County Department is regularly represented at the Security Engineering Teams (SET) meetings and related activities

Report County IT security incidents to the CISO, as required by County IT security policies

County IT Users

County IT users are responsible for acknowledging and adhering to County IT resources policies, standards, and procedures and County IT security policies. They are responsible for the following:

Protection of County IT resources for which they are entrusted; accessing, using, exposing, disclosing, and modifying County IT resources only as authorized; and accessing and using them for their intended purposes;

County IT users are required to sign the Acceptable Use Agreement as a condition of being granted access to County IT resources. The Acceptable Use Agreement is set forth in Board of Supervisors Policy No. 6.101 – Use of County Information Technology Resources.

Information Security Steering Committee (ISSC)

The ISSC is established to be the coordinating body for all County IT security-related activities and is composed of the DISO (or Assistant DISO), from all County Departments.

The responsibilities of the ISSC include, without limitation, the following:

Assisting the CISO in developing, reviewing, and recommending countywide County IT security policies

Identifying and recommending industry best practices for countywide County IT security

Developing, reviewing, and recommending countywide County IT security technical and operational standards, procedures, and guidelines

Coordinating communication and collaboration among County Departments on countywide and County Department IT security issues

Coordinating countywide County IT security education and awareness

Compliance

County employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-County employees, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to County IT resources, and other actions as well as both civil and criminal penalties.

Policy Exceptions

Requests for exceptions to this Board of Supervisors (Board) policy shall be reviewed by the CISO and the CIO, and shall require approval by the Board. County Departments requesting exceptions shall provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the County Department, initiatives, actions and a time-frame for achieving the minimum compliance level with the policies set forth herein. The CIO shall review such requests, confer with the requesting County Department, and place the matter on the Board's agenda along with a recommendation for Board action.

RESPONSIBLE DEPARTMENT
_______________________________________________________________

Chief Executive Office

 

DATE ISSUED/SUNSET DATE
_______________________________________________________________

Issue Date: July 13, 2004

Sunset Date: July 13, 2008

Review Date: August 25, 2008

Sunset Date: July 13, 2012

Review Date: July 19, 2012

Sunset Date: January 13, 2013

Review Date: June 27, 2013

Sunset Date: September 30, 2013

Review Date: September 18, 2013

Sunset Date: January 30, 2014

Review Date: January 15, 2014

Sunset Date: February 28, 2014

Review Date: February 19, 2014

Sunset Date: March 19, 2014

Review Date: March 19, 2014

Sunset Date: December 31, 2014

Review Date: January 6, 2015

Sunset Date: December 31, 2018

Previous PageNext Page