|
New Hanover County Information Technology Department |
Issued: 10/09/02 |
|
|
Policy Number: 6-01 |
||
|
Subject: SECURITY POLICY |
||
PURPOSE AND SCOPE:
The purpose of this policy is to establish guidelines, procedures, and requirements to ensure the appropriate protection of New Hanover County’s information systems and electronic data. In doing so this policy addresses the need for privacy of personal and County information. In addition, this policy addresses the need for integrity of the data in the County’s possession.
This policy applies to all County employees and other workers or third parties performing work for New Hanover County. This policy applies to all computing, telephonic, and network systems owned or leased by New Hanover County, as well as any non-county-owned equipment that may be attached to a County network.
When using the term network, it is explicitly defined to mean all County voice and data networks as well as any other networks to which the County networks are connected such as the Internet, the State network, and the City of Wilmington network among others.
CHANGE SUMMARY:
10/09/02 This is the Original Document.
POLICY:
Confidentiality, Integrity, and availability:
The County must protect the confidentiality, integrity, and availability of its information systems, networks, and electronic data. Information deemed confidential or sensitive will be controlled such that it is unavailable to those who do not have the necessary approvals to access it. The County must ensure the integrity of the electronic information it maintains, meaning that it is correct and has not been altered or corrupted in some way during transmission, processing, or while in secure storage. This also means that programs, applications, procedures, and systems function as intended. Availability means that access to information and information systems is not denied to authorized users.
Responsibilities of All Users
All users of County computer systems and network resources have the responsibility to ensure the overall security of County systems, and to behave in a manner consistent with this security policy. Each user is responsible for understanding and complying with this policy and with the Acceptable Use Policy.
Responsibilities of the Departmental Managers
Departmental Managers are responsible for ensuring that appropriate computer and communication system security measures are observed in their areas. They are also responsible for making sure that all Departmental users have reviewed this Security Policy as well as the Acceptable Use Policy.
Critical computing resources and equipment such as servers, network equipment, telephone systems, etc., should be stored in secure locations (server room, wiring closets, etc.) with restricted access. In addition, this equipment must be placed in an environmentally controlled location (e.g., temperature control, humidity, exposure to water, etc.). Printers or faxes used for sensitive data should also be stored in a secure location. Magnetic media such as hard drives, diskettes, or tapes, must be erased before disposal.
Terminations and Transfers
Human Resources must promptly notify the IT Department of all significant changes in worker duties or employment status. The IT Department will notify the appropriate System Administrators responsible for those user accounts. Computer access of terminated employees should be deactivated immediately upon notification by the HR Department. The Userid’s of terminated or transferred employees must not be used by other personnel.
PROCEDURE:
Security Policy Overview:
This policy is a high-level document describing the overall approach that the County has taken to secure its information systems and electronic data. The approach is to provide detailed instructions in the supporting documents listed below:
1. The Acceptable Use Policy outlines the responsibilities and the appropriate employee security measures that all users of County computer systems and network resources must comply with in order to preserve the overall security of County of these systems, networks, and data. It also outlines prohibited activities. Each user is responsible for understanding and complying with this policy.
2. The Remote Access Security Policy defines standards for connection to the County’s network from any external host or external network. This policy will address use of encryption, VPN, wireless access, telecom access (dial in, ISDN, analog, etc.), and extranet access.
3. The Third Party Connection Agreement defines the standards and requirements, including legal requirements, needed in order to interconnect a third party organization’s network to the County network, forming an Extranet. Both parties must sign the agreement.
4. The Network Equipment Policy defines the standards for security configurations of routers, switches, and servers inside the County’s secure network. It includes standards for creating, protecting, and changing strong passwords as well as adding/deleting users from systems.
5. The DMZ Security Policy defines the standards to be met by all equipment located in the Demilitarized Zone (DMZ) owned and/or operated by the County. This includes servers, firewalls, routers, and switches.
6. The Virus Warning Policy defines guidelines for effectively reducing the threat of computer viruses on the County network. Other aspects of virus prevention are addressed in the Email and Acceptable Use Policies.
7. The Audit Policy defines the requirements and provides authority for the IT Department to conduct audits, monitor logs, user activity, etc. to ensure compliance with all applicable Security Policies.
REFERENCES:
CHANGE HISTORY:
|
Version |
Date |
Author |
Comments |
|
A |
10/09/02 |
DRWB |
Original Document |