Previous Pagehome pageNext Page

Policy #:

Title:

Effective Date:

6.108

Auditing and Compliance

07/13/04

PURPOSE
_______________________________________________________________

To ensure that County information technology (IT) resources are periodically audited for compliance with County IT resources policies, standards, and procedures and County IT security policies, standards, and procedures.

 

REFERENCE
_______________________________________________________________

July 13, 2004, Board Order No. 10 – Board of Supervisors – Information Technology and Security Policies

Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy

Board of Supervisors Policy No. 6.101 – Use of County Information Technology Resources, including Agreement for Acceptable Use and Confidentiality of County Information Technology Resources (Acceptable Use Agreement), attached thereto

 

POLICY
_______________________________________________________________

This policy is applicable to all County IT users.

The Auditor-Controller (A-C) shall conduct or coordinate an audit of every County Department’s compliance with County IT resources policies, standards and procedures, and County IT security policies, standards, and procedures. Audits shall be prioritized and scheduled based on risk by the A-C. To facilitate the audit process, each County Department shall:

Properly complete the annual Chief Information Office’s Business Automation Planning (BAP) security questionnaire.

Properly conduct and document IT risk assessments in accordance with A-C requirements as required by Board of Supervisors Policy No. 6.107 – Information Technology Risk Assessment.

Definition Reference

As used in this policy, the term “County IT resources” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the term “County IT user” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the term “County IT security” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the term “County Department” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

Compliance

County employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-County employees, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to County IT resources, and other actions as well as both civil and criminal penalties.

Policy Exceptions

Requests for exceptions to this Board of Supervisors (Board) policy shall be reviewed by the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO), and shall require approval by the Board. County Departments requesting exceptions shall provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the County Department, initiatives, actions and a timeframe for achieving the minimum compliance level with the policies set forth herein. The CIO shall review such requests, confer with the requesting County Department, and place the matter on the Board's agenda along with a recommendation for Board action.

RESPONSIBLE DEPARTMENT
_______________________________________________________________

Chief Executive Office

 

DATE ISSUED/SUNSET DATE
_______________________________________________________________

Issue Date: July 13, 2004

Sunset Date: July 13, 2008

Review Date: August 25, 2008

Sunset Date: July 13, 2012

Review Date: July 19, 2012

Sunset Date: January 13, 2013

Review Date: June 27, 2013

Sunset Date: September 30, 2013

Review Date: September 18, 2013

Sunset Date: January 30, 2014

Review Date: January 15, 2014

Sunset Date: February 28, 2014

Review Date: February 19, 2014

Sunset Date: March 19, 2014

Review Date: March 19, 2014

Sunset Date: December 31, 2014

Review Date: January 6, 2015

Sunset Date: December 31, 2018

Previous PageNext Page