Previous Pagehome pageNext Page

Policy #:

Title:

Effective Date:

6.107

Information Technology Risk Assessment

07/13/04

PURPOSE
_______________________________________________________________

To ensure the performance of periodic information technology (IT) risk assessments of County Departments for the purpose of identifying security threats to, and security vulnerabilities within, County IT resources and initiating appropriate remediation.

 

REFERENCE
_______________________________________________________________

July 13, 2004, Board Order No. 10 – Board of Supervisors – Information Technology and Security Policies

Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy

Board of Supervisors Policy No. 6.101 – Use of County Information Technology Resources, including Agreement for Acceptable Use and Confidentiality of County Information Technology Resources (Acceptable Use Agreement), attached thereto

 

POLICY
_______________________________________________________________

Each County Department shall periodically conduct and document an IT risk assessment in accordance with Auditor-Controller (A-C) requirements, which are included in the annual/biennial A-C Internal Control Certification Program (ICCP) procedures.

IT risk assessments are mandatory and encompass information gathering, analysis, and determination of security vulnerabilities within the County IT resources, including, without limitation, hardware and software environments, and IT business practices.

IT risk assessments are necessary to analyze and mitigate security threats to the County IT resources, which may come from any source, including, without limitation, natural disasters, disgruntled County employees, hackers, the Internet, and equipment or service malfunction or breakdown.

IT risk assessments shall be conducted on all County IT resources, including, without limitation, applications, servers, networks, and any process or procedure by which the County IT resources are utilized and maintained. IT risk assessments shall also be performed on each facility that houses County IT resources.

An IT risk assessment program (e.g., vulnerability scans of networks, systems, and applications that identifies risks) shall include, without limitation, an inventory of County IT resources; review of County IT resources policies, standards, and procedures; review of County IT security policies, standards, and procedures; assessments and prioritization of security threats to, and security vulnerabilities within, County IT resources; and implementation of safeguards to mitigate identified security threats to, and security vulnerabilities within, County IT resources.

Definition Reference

As used in this policy, the term “County IT resources” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the term “County IT security” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the term “County Department” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

Compliance

County employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-County employees, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to County IT resources, and other actions as well as both civil and criminal penalties.

Policy Exceptions

Requests for exceptions to this Board of Supervisors (Board) policy shall be reviewed by the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO), and shall require approval by the Board. County Departments requesting exceptions shall provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the County Department, initiatives, actions and a time-frame for achieving the minimum compliance level with the policies set forth herein. The CIO shall review such requests, confer with the requesting County Department, and place the matter on the Board's agenda along with a recommendation for Board action.

 

RESPONSIBLE DEPARTMENT
_______________________________________________________________

Chief Executive Office

 

DATE ISSUED/SUNSET DATE
_______________________________________________________________

Issue Date: July 13, 2004

Sunset Date: July 13, 2008

Review Date: August 25, 2008

Sunset Date: July 13, 2012

Review Date: July 19, 2012

Sunset Date: January 13, 2013

Review Date: June 27, 2013

Sunset Date: September 30, 2013

Review Date: September 18, 2013

Sunset Date: January 30, 2014

Review Date: January 15, 2014

Sunset Date: February 28, 2014

Review Date: February 19, 2014

Sunset Date: March 19, 2014

Review Date: March 19, 2014

Sunset Date: December 31, 2014

Review Date: January 6, 2015

Sunset Date: December 31, 2018

Previous PageNext Page