Policy #: |
Title: |
Effective Date: |
6.107 |
Information Technology Risk Assessment |
07/13/04 |
PURPOSE
_______________________________________________________________
To ensure the performance of periodic countywide and departmental information security risk assessments for the purpose of determining areas of vulnerability, and to initiate appropriate remediation. |
REFERENCE
_______________________________________________________________
July 10, 2004, Board Order 10 - Board of Supervisors Policy – Information Technology and Security Policy |
POLICY
_______________________________________________________________
Security risk assessment is a mandatory activity, which encompasses information gathering, analysis, and determination of security vulnerabilities within the County’s hardware and software environment, and information technology (I/T) business practices. Security risk assessment is necessary to analyze and mitigate threats to the County information technology assets, which may come from any source including natural disasters, disgruntled employees, hackers, the Internet, equipment or service malfunction or breakdown. Security risk assessments shall be conducted on all information systems including applications, servers, networks, and any process or procedure by which these systems are utilized and maintained. Risk assessment shall also be performed on facilities that house information technology resources. A risk assessment program shall include an inventory of I/T assets, review of I/T policy and procedures, assessments and prioritization of data security vulnerabilities, and implementation of safeguards to mitigate identified vulnerabilities. County departments shall periodically conduct and document an information technology risk assessment in accordance with Auditor-Controller requirements. Compliance County departments must develop written procedures to comply with this policy. Review and remediation of risk assessment findings is the responsibility of each department. Policy Exceptions Requests for exceptions to this Board policy must be reviewed by the CIO and approved by the Board of Supervisors. Departments requesting exceptions should provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the department, initiatives, actions and a time frame for achieving the minimum compliance level with the policies set forth herein. The CIO will review such requests, confer with the requesting department and place the matter on the Board's agenda along with a recommendation for Board action. |
RESPONSIBLE DEPARTMENT
_______________________________________________________________
Chief Information Office (CIO) |
DATE ISSUED/SUNSET DATE
_______________________________________________________________
Issue Date: July 13, 2004 |
Sunset Date: July 13, 2008 |
Review Date: August 25, 2008 |
Sunset Date: July 13, 2012 |
Review Date: July 19, 2012 |
Sunset Date: January 13, 2013 |
Review Date: February 28, 2013 |
Sunset Date: July 13, 2013 |