PURPOSE
_______________________________________________________________

To establish a countywide information security policy to ensure that County information technology resources are protected by physical security measures that prevent physical tampering, damage, theft, or unauthorized physical access.

REFERENCE
_______________________________________________________________

July 13, 2004, Board Order 10 - Board of Supervisors Policy – Information Technology and Security Policy.

POLICY
_______________________________________________________________

Facility Security Plan Each County department is required to have a “Facility Security Plan” which shall include measures to safeguard Information Technology resources. The plan shall describe ways in which all Information Technology resources shall be protected from physical tampering, damage, theft, or unauthorized physical access. Proper Identification Access to areas containing sensitive information must be physically restricted. All individuals in these areas must wear an identification badge on their outer garments so that both the picture and information on the badge are clearly visible. Access to Restricted IT Areas Restricted I/T areas including data centers, computer rooms, telephone closets, network router and hub rooms, voicemail system rooms, and similar areas containing I/T resources. All access to these areas must be authorized and restricted. Equipment Control The assigned user of I/T resource is considered the custodian for the resource. If the item has been damaged, lost, stolen, borrowed, or is otherwise unavailable for normal business activities, the custodian must promptly inform the involved department manager. Sensitive I/T resources located in unsecured areas should be secured to prevent physical tampering, damage, theft, or unauthorized physical access. When feasible, I/T equipment must be marked with some form of identification that clearly indicates it is the property of the County of Los Angeles. Compliance Employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as civil and criminal penalties. Non-employees including contractors may be subject to termination of contractual agreements, denial of access and/or penalties both criminal and civil. Policy Exceptions Requests for exceptions to this Board policy must be reviewed by the CIO and approved by the Board of Supervisors. Departments requesting exceptions should provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the department, initiatives, actions and a time frame for achieving the minimum compliance level with the policies set forth herein. The CIO will review such requests, confer with the requesting department and place the matter on the Board's agenda along with a recommendation for Board action.

RESPONSIBLE DEPARTMENT
_______________________________________________________________

Chief Information Office (CIO)

DATE ISSUED/SUNSET DATE
_______________________________________________________________

Issue Date: July 13, 2004	Sunset Date: July 13, 2008
Issue Date: August 25, 2008	Sunset Date: July 13, 2012