|
New Information
Technology Department |
Issued:
|
|
|
Policy
Number: 6-01 |
||
|
Subject: SECURITY OVERVIEW |
||
PURPOSE AND SCOPE:
The purpose of this policy is to establish
guidelines, procedures, and requirements to ensure the appropriate protection
of
This policy applies to all County employees and
other workers or third parties performing work for
When using the term network, it is explicitly
defined to mean all County voice and data networks as well as any other
networks to which the County networks are connected such as the Internet, the
State network, and the City of
CHANGE SUMMARY:
POLICY:
Confidentiality, Integrity, and
availability:
The County must protect the confidentiality,
integrity, and availability of its information systems, networks, and
electronic data. Information deemed confidential or sensitive will be
controlled such that it is unavailable to those who do not have the necessary
approvals to access it. The County must ensure the integrity of the
electronic information it maintains, meaning that it is correct and has not
been altered or corrupted in some way during transmission, processing, or while
in secure storage. This also means that programs, applications,
procedures, and systems function as intended. Availability means that
access to information and information systems is not denied to authorized
users.
Responsibilities of All Users
All users of County computer systems and
network resources have the responsibility to ensure the overall security of
County systems, and to behave in a manner consistent with this security policy.
Each user is responsible for understanding and complying with this policy and
with the Acceptable Use Policy.
Responsibilities of the Departmental
Managers
Departmental Managers are responsible for
ensuring that appropriate computer and communication system security measures
are observed in their areas. They are also responsible for making sure
that all Departmental users have reviewed this Security Policy as well as the
Acceptable Use Policy.
Critical computing resources and equipment
such as servers, network equipment, telephone systems, etc., should be stored
in secure locations (server room, wiring closets, etc.) with restricted
access. In addition, this equipment must be placed in an environmentally
controlled location (e.g., temperature control, humidity, exposure to water,
etc.). Printers or faxes used for sensitive data should also be stored in
a secure location. Magnetic media such as hard drives, diskettes, or
tapes, must be erased before disposal.
Terminations and Transfers
Human Resources must promptly notify the IT
Department of all significant changes in worker duties or employment
status. The IT Department will notify the appropriate System
Administrators responsible for those user accounts. Computer access of
terminated employees should be deactivated immediately upon notification by the
HR Department. The Userid’s of terminated or transferred employees must
not be used by other personnel.
PROCEDURE:
Security Policy Overview:
This policy is a high-level document
describing the overall approach that the County has taken to secure its
information systems and electronic data. The approach is to provide
detailed instructions in the supporting documents listed below:
1. The Acceptable
Use Policy outlines the responsibilities and the appropriate employee
security measures that all users of County computer systems and network
resources must comply with in order to preserve the overall security of County
of these systems, networks, and data. It also outlines prohibited
activities. Each user is responsible for understanding and complying with this
policy.
2. The Remote Access
Security Policy defines standards for connection to the County’s network
from any external host or external network. This policy will address use
of encryption, VPN, wireless access, telecom access (dial in, ISDN, analog,
etc.), and extranet access.
3. The Third Party
Connection Agreement defines the standards and requirements, including
legal requirements, needed in order to interconnect a third party
organization’s network to the County network, forming an Extranet. Both
parties must sign the agreement.
4. The Network Equipment
Policy defines the standards for security configurations of routers,
switches, and servers inside the County’s secure network. It includes
standards for creating, protecting, and changing strong passwords as well as
adding/deleting users from systems.
5. The DMZ Security
Policy defines the standards to be met by all equipment located in the
Demilitarized Zone (DMZ) owned and/or operated by the County. This
includes servers, firewalls, routers, and switches.
6. The Virus Warning
Policy defines guidelines for effectively reducing the threat of computer
viruses on the County network. Other aspects of virus prevention are
addressed in the Email and Acceptable Use Policies.
7. The Audit Policy
defines the requirements and provides authority for the IT Department to
conduct audits, monitor logs, user activity, etc. to ensure compliance with all
applicable Security Policies.
REFERENCES:
CHANGE HISTORY:
|
Version |
Date |
Author |
Comments |
|
A |
|
DRWB |
Original Document |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|