Previous Pagehome pageNext Page

Policy #:

Title:

Effective Date:

6.101

Use of County Information Technology Resources

07/13/04

PURPOSE
_______________________________________________________________

To establish policies for use of County information technology (IT) resources.

 

REFERENCE
_______________________________________________________________

July 13, 2004, Board Order No. 10 – Board of Supervisors – Information Technology and Security Policies

Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy

Board of Supervisors Policy No. 6.104 – Electronic Communications

Board of Supervisors Policy No. 6.105 – Internet Usage Policy

Board of Supervisors Policy No. 6.109 – Security Incident Reporting

Board of Supervisors Policy No. 3.040 – General Records Retention and Protection of Records Containing Personal and Confidential Information

Board of Supervisors Policy No. 9.015 – County Policy of Equity

Agreement for Acceptable Use and Confidentiality of County Information Technology Resources (Acceptable Use Agreement), attached

Comprehensive Computer Data Access and Fraud Act, California Penal Code Section 502

Health Insurance Portability and Accountability Act (HIPAA) of 1996

Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009

California Civil Code Section 1798.29

 

POLICY
_______________________________________________________________

General

This policy is applicable to all County IT users.

All County IT users shall acknowledge and adhere to County IT resources policies, standards, and procedures and County IT security policies and shall sign the Acceptable Use Agreement attached to this Board of Supervisors Policy No. 6.101, prior to being granted access to County IT resources, and annually thereafter.

County IT users cannot expect any right to privacy concerning their activities related to County IT resources, including, without limitation, in anything they create, store, send, or receive using County IT resources. Having no expectation to any right to privacy includes, for example, that County IT users' access and use of County IT resources may be monitored or investigated by authorized persons at any time, without notice or consent.

Activities of County IT users may be logged/stored, may be a public record, and are subject to audit and review, including, without limitation, periodic monitoring and/or investigation, by authorized persons at any time.

County IT resources shall be accessed and used in accordance with each Department’s policies, standards, and procedures.

County IT resources may not be used:

For any unlawful purpose;

For any purpose detrimental to the County or its interests;

For personal financial gain;

In any way that undermines or interferes with access to or use of County IT resources for official County purposes;

In any way that hinders productivity, efficiency, customer service, or interferes with a County IT user’s performance of his/her official job duties;

To express or imply sponsorship or endorsement by the County, except as approved in accordance with Department’s policies, standards, and procedures or;

For personal purpose where activities are for private gain or advantage, or an outside endeavor not related to County business purpose, personal purpose does not include the incidental and minimal use of County IT resources, such as internet usage, for personal purposes, including an occasional use of the internet.

No County IT user shall intentionally, or through negligence, damage, interfere with the operation of, or prevent authorized access to County IT resources. It is every County IT user’s duty to access and use County IT resources responsibly, professionally, ethically, and lawfully.

The County has the right to administer any and all aspects of County IT resources access and other use, including, without limitation, the right to monitor Internet, electronic communications (e.g., email, text messages, etc.), and data access. Access to County IT resources is a privilege, which access may be modified or revoked at any time, without notice or consent.

Monitoring the access to, and use of County IT resources by County IT users must be approved in accordance with applicable policies and laws on investigations. If any evidence of violation of this policy is identified, the Auditor-Controller’s Office of County Investigations must be notified immediately.

Access Control

Unless specifically authorized by County Department management or policy, access to, and use of, any County IT resources and any related restricted work areas and facilities is prohibited.

Access control mechanisms shall be in place to protect against unauthorized access, use, exposure, disclosure, modification, or destruction of County IT resources.

Access control mechanisms may include, without limitation, hardware, software, storage media, policy and procedures, and physical security.

Authentication

Access to every County system shall have an appropriate user authentication mechanism based on the sensitivity and level of risk associated with the information.

All County systems containing information that requires restricted access shall require user authentication before access is granted.

County IT users shall not allow others to access a system while it is logged on under their user sessions. The only exceptions allowed are when the system cannot be configured to enforce a log-in, or where the business needs of the County Department require an alternate login practice for specified functions.

Representing yourself as someone else, real or fictional, or sending information anonymously is prohibited unless specifically authorized by County Department management.

County IT users shall be responsible for the integrity of the authentication mechanism granted to them. For example, County IT users shall not share their computer identification codes and other authentication mechanisms (e.g., logon identification (ID), computer access codes, account codes, passwords, SecurID cards/tokens, biometric logons, and smartcards).

Fixed passwords or single-factor authentication, which is used for most access authorization, shall be changed at a minimum every ninety (90) days.

Two-factor authentication is required for remote access and system administrator (e.g., servers) access to critical servers (e.g., applications) where personal information, confidential information, or otherwise sensitive (e.g., legislative data) information exists unless otherwise stated in County IT security technical and operational standards issued by ISSC.

Information Integrity

County IT users are responsible for maintaining the integrity of information, which is part of County IT resources. They shall not knowingly or through negligence cause such information to be modified or corrupted in any way that compromises its accuracy or prevents authorized access to it.

Accessing County IT Resources Remotely

Remote access to County IT resources by a County IT user shall require approval by designated County Department management and be in accordance with County Department policy. Each County IT user shall comply with, and only use equipment (e.g., County-owned computing device and personally owned computing device) that complies with, all applicable County IT resources policies, including, without limitation:

Inclusion of this Board of Supervisors Policy No. 6.101;

Board of Supervisors Policy No. 6.102 – Countywide Antivirus Security Policy;

Board of Supervisors Policy No. 6.104 – Electronic Communications;

Board of Supervisors Policy No. 6.105 – Internet Usage Policy;

Board of Supervisors Policy No. 6.106 – Physical Security;

Board of Supervisors Policy No. 6.109 – Security Incident Reporting; and

Board of Supervisors Policy No. 6.110 – Protection of Information on Portable Computing Devices.

Without limiting the foregoing, County IT users who are authorized to remotely access County IT resources using personally owned computing devices shall ensure that antivirus software which is installed and up-to-date, operating system software and application software which are up-to-date (e.g., critical updates, security updates, and service packs), and firewall (i.e., software firewall on the computing device or hardware firewall) which is installed and up-to-date.

Privacy

Information that is accessed using County IT resources shall be used in accordance with each Department’s policies, standards, and procedures. Such information shall not be exposed and/or disclosed to unauthorized individuals.

Confidentiality

Unless specifically authorized by designated County Department management, sending, disseminating, or otherwise exposing and/or disclosing personal and/or confidential information is strictly prohibited. This includes, without limitation, information that is subject to HIPAA, the HITECH Act, or any other confidentiality or privacy legislation.

Definition Reference

As used in this policy, the term “County IT resources” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the term “computing devices” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the term “County IT user” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the term “County IT security” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the term “County Department” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the terms "personal information" and "confidential information" shall have the same meanings as set forth in Board of Supervisors Policy No. 3.040 – General Records Retention and Protection of Records Containing Personal and Confidential Information.

Compliance

County employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-County employees, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to County IT resources, and other actions as well as both civil and criminal penalties.

Policy Exceptions

Requests for exceptions to this Board of Supervisors (Board) policy shall be reviewed by the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO), and shall require approval by the Board. County Departments requesting exceptions shall provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the County Department, initiatives, actions and a time-frame for achieving the minimum compliance level with the policies set forth herein. The CIO shall review such requests, confer with the requesting County Department, and place the matter on the Board's agenda along with a recommendation for Board action.

RESPONSIBLE DEPARTMENT
_______________________________________________________________

Chief Executive Office

 

DATE ISSUED/SUNSET DATE
_______________________________________________________________

Issue Date: July 13, 2004

Sunset Date: July 13, 2008

Review Date: August 25, 2008

Sunset Date: July 13, 2012

Review Date: July 19, 2012

Sunset Date: January 13, 2013

Review Date: June 27, 2013

Sunset Date: September 30, 2013

Review Date: September 18, 2013

Sunset Date: January 30, 2014

Review Date: January 15, 2014

Sunset Date: February 28, 2014

Review Date: February 19, 2014

Sunset Date: March 19, 2014

Review Date: March 19, 2014

Sunset Date: December 31, 2014

Review Date: January 6, 2015

Sunset Date: December 31, 2018

Previous PageNext Page