PURPOSE
_______________________________________________________________

The purpose of this policy is to define the County’s responsibility in responding to countywide computer security threats affecting the confidentiality, availability and/or integrity of County computerized data, and/or information processing resources.

REFERENCE
_______________________________________________________________

July 10, 2004, Board Order 10 - Board of Supervisors Policy – Information Technology and Security Policy.

POLICY
_______________________________________________________________

The County shall establish a Countywide Computer Emergency Response Team (CCERT). The CCERT will be led by the Chief Information Security Officer (CISO) and will consist of representatives from all County departments. CCERT will communicate security information, guidelines for notification processes, identify potential security risks, and coordinate responses to thwart, mitigate or eliminate a countywide computer security threat. Each County department shall establish a Departmental Computer Emergency Response Team (DCERT) that is led by the Departmental Information Security Officer (DISO) and has the responsibility for responding to and/or coordinating computer security threat events within their organization. Representatives from each DCERT shall also be active participants in CCERT. Each department shall establish and implement Departmental Computer Emergency Response Procedures. The DCERT shall inform the CCERT, as early as possible, of computer security threat events that could adversely impact countywide computer systems and/or data. Each department shall develop a notification process, to ensure management notification within their department and to the CCERT, in response to computer security events. The CCERT and DCERTs have the responsibility to take necessary corrective action to remediate a computer security threat. Each department shall provide CCERT with after hours contact information for their primary and secondary representatives. Each department shall maintain current contact information for all personnel who are responsible for managing I/T resources to be utilized to remediate security threats. Departments shall provide primary and secondary members with adequate portable communication devices. (e.g., cell phone, pager, etc). In instances where violation of any law may have occurred, proper notifications will be made in accordance with existing County policies. Policy Exceptions Requests for exceptions to this Board policy must be reviewed by the CIO and approved by the Board of Supervisors. Departments requesting exceptions should provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the department, initiatives, actions and a time frame for achieving the minimum compliance level with the policies set forth herein. The CIO will review such requests, confer with the requesting department and place the matter on the Board's agenda along with a recommendation for Board action.

RESPONSIBLE DEPARTMENT
_______________________________________________________________

Chief Information Office (CIO)

DATE ISSUED/SUNSET DATE
_______________________________________________________________

Issue Date: July 13, 2004	Sunset Date: July 13, 2008
Review Date: August 21, 2008	Sunset Date: July 13, 2012
Review Date: July 19, 2012	Sunset Date: January 13, 2013
Review Date: February 28, 2013	Sunset Date: July 13, 2013