The URL can be used to link to this page

Home My WebLink About100-22POLICY & PROCEDURE Subject: ELECTRONIC DATA SECURITY Index: Executive Services Department (IT) Number: 100-22 (replaces 250-16) Effective Date: 8/1/2024 Supersedes: 10/23/2006 Page: 1 of 8 Staff Contact: Kristi Rowland, Deputy CAO Approved By: 1.0 PURPOSE: The purpose of this policy is to establish standards to maintain system security, data availability, data integrity, and privacy by preventing unauthorized access to data and by preventing misuse, damage to, or loss of data. 2.0 ORGANIZATIONS AFFECTED: All City departments. 3.0 REFERENCES: •Policy and Procedure 300-47: Discipline •CJIS Policy •Information Technology Procedures Manual 4.0 POLICY: It is the policy of the City of Renton to safeguard its electronic data by limiting computer system access to those who have a legitimate job-related reason to have such access. Data protection will be provided by following physical and cybersecurity best practices using a variety of tools, techniques, and systems to protect the City’s data. The Information Technology Division of the Executive Services Department is assigned the responsibility of securing the City’s data and systems. 5.0 COMPLIANCE: 5.1 It is the responsibility of the department administrator to monitor and manage adherence to this policy. 5.2 Department administrators, or their designees, shall monitor employee conduct to assure compliance with this policy. Electronic Date Security Policy & Procedure 100-22 p. 2 5.3 Information Technology staff will assist with policy compliance matters as needed. 5.4 This policy shall take effect upon publication. Compliance is expected with all enterprise policies and standards. Policies and standards may be amended at any time. If compliance with this standard is not feasible or technically possible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the Infrastructure and Information Security Manager’s exception process. 6.0 DEFINITIONS OF KEY TERMS: Term Definition Computer Systems Computer systems refers to computers, routers, switches, equipment racks/enclosures, wireless access points, and any other equipment permissibly attached to the City’s network. CTS Client Technology Services, aka Client Services; formerly the Service Desk. IDF Intermediate Distribution Frame (i.e. switch/network closet) MDF Main Distribution Frame (i.e. Server Room) Information Technology Procedures Manual The Information Technology Procedures Manual is maintained by the Information Technology Division and is available for staff review by visiting the Information Technology office. This manual details a number of procedures, including daily backups, phone administration, computer replacement, etc. SaaS Software as a Service Staff Support Portal The Staff Support Portal is the self-service portal provided by the Information Technology Division. You may submit a ticket by navigating to https://staffsupport.rentonwa.gov. Security For the purposes of this policy, security is defined as the ability to protect the integrity, availability, and confidentiality of electronic data housed or controlled by Electronic Date Security Policy & Procedure 100-22 p. 3 the City of Renton, and to protect the City’s electronic assets from unauthorized use or modification and accidental or intentional damage/destruction. It includes the security of Information Technology facilities, off-site data storage, computing, telecommunications, application and/or SaaS related services or commercial concerns, as well as other Internet-related applications and connectivity. Security Breach Any known or suspected unauthorized access to data, networks, or applications. Sensitive Areas/Systems The City of Renton’s sensitive areas are those areas within City facilities where physical access to criminal, court, medical, personnel, or health data is present. For example, this would include MDF and IDF rooms, police offices, and the court. Sensitive systems would be those computing systems with access to criminal, court, medical, personnel, or health data. Staff City of Renton employees. Trusted Network The internal network used by employees, protected from outside intrusion. User Data Data stored on networked drives, SharePoint or OneDrive, email, and/or data defined as such by the City’s retention schedule. All electronic data created, stored, or transmitted from the City’s computing systems is owned by the City. 7.0 CONTACT INFORMATION: Submit all inquiries and requests for future enhancements to the policy owner at: btietjen@rentonwa.gov 8.0 PROCEDURES: 8.1 Information Technology’s Responsibilities: 1. Create detailed security procedures for supporting industry best practices/standards and adoption of higher agency security standards. 2. Ensure, oversee, and test compliance of the City’s network systems against security standards and procedures. This requires testing network or system security through a variety of security tools and outside vendors. Electronic Date Security Policy & Procedure 100-22 p. 4 3. Limit access to the City’s trusted network and data to authorized users using system protection tools, complex password enforcement, appropriate firewalling techniques, and access restrictions. 4. Authorize all access to the City’s computer systems. Remote access procedures for vendors in support of City-owned applications will be coordinated with Information Technology by the application owner department. System access will be provided to vendors of specific applications and will be made available on an as-needed basis, as determined by the application owner. 5. Ensure that password changes are made periodically using the system’s automated password management tools. 6. Offer training for system users in adopted security standards including password management. 7. Install and manage endpoint detection and response (EDR) and other endpoint protection solutions. Information Technology will ensure that these systems remain updated as appropriate. 8. Ensure that all security updates for operating systems, web browsers, server applications, and email clients are installed to current levels on City- owned systems. Information Technology shall verify all updates for network compatibility, authenticity, and applicability. 9. Ensure that all user accounts lock out automatically after consecutive failed login attempts. The user must contact IT Client Services (CTS) to have the account re-enabled. 10. Perform system and data backups and provide as robust Disaster Recovery capabilities as feasible. 11. Maintain a record of all computers and related equipment within the City. These records include make, model, serial number, purchase information, and other data as required. Information Technology uses these records to identify equipment, verify its location, and to audit for equipment that needs to be upgraded. 12. Ensure removal of all sensitive and/or confidential information from the local storage of any computer to be re-deployed, recycled, or sent for vendor repair. Electronic Date Security Policy & Procedure 100-22 p. 5 13. Investigate system intrusions and other cybersecurity incidents in coordination with the Police Department. 14. Report all security breaches under this policy to the appropriate state and federal agencies. 15. Maintain strict access control to all sensitive areas, including IDF, MDF rooms and other physical access points. Unescorted access to these facilities shall not be permitted for contractors or staff that have not successfully completed a fingerprint background check by the Renton Police Department, and CJIS certification as applicable. 16. Require, when necessary, additional security such as personal digital certificates, key fobs, token devices, smart cards, other physical devices, or biometric system for internal or external City system access or access to outside agency systems. 17. Perform all installation and relocation of computing systems. 8.2 Department Management Responsibilities: 1. Implement automated compliance checking to ensure that organizational units are operating in a manner consistent with this policy and established password criteria guidelines. 2. Ensure staff training is available regarding security procedures and standards. 3. Ensure staff are properly trained in the use of software and hardware to prevent or reduce accidental data loss or corruption. 4. Ensure that staff requiring physical access to the City’s IDF, MDF rooms and/or other physical access points successfully pass a fingerprint background check by the Renton Police Department, and CJIS certification as applicable, as a condition of employment. Sensitive areas also include offices where computing systems have access to confidential criminal, medical, or health sensitive data. Verification of background checks performed by the Renton Police Department shall be maintained in the staff personnel files. Background checks shall be completed within 30 days of initial employment; or, in the case of a contractor, prior to commencement of their work. Only individuals that meet federal standards will be permitted access to sensitive areas/systems in compliance with the standards set by the CJIS Security Policy. Electronic Date Security Policy & Procedure 100-22 p. 6 5. Ensure that staff user data is properly dealt with, consistent with the records retention policies, when staff leaves the City. This includes, but is not limited to, regular employees, non-regular and project employees, interns, volunteers, and contractors. 6. Inform Information Technology, in writing, of the system access rights that are needed by a user to complete their specific job tasks. Immediately inform Information Technology, in writing, of user system access rights that change or are no longer needed for the job tasks, including staff resignation or termination. Each department shall determine what access is required for each staff member accessing the City’s computer systems. Information Technology will establish access based on a completed New Employee/Consultant/Contractor Change Request Form. 7. Assume ownership responsibility for their applications and application access rights by staff. Information Technology will assist the department in the development of procedures to document such access, but this access will be managed by the application owner. 8. Ensure appropriate security measures are followed when purchasing or developing transactional Internet-based applications, including but not limited to e-commerce. 9. Report any security breach immediately, such as unauthorized access to data, to Client Technology Services in writing. Such notification may be in the form of an email marked urgent or memo from the department. Information Technology will review the breach and make appropriate recommendations to the department for resolution. These communications shall be considered confidential and will only be made available to the City’s networking staff and City management; and, if necessary, the appropriate legal authorities. 10. Ensure all supervisors take the appropriate action to address violations of information security requirements. Users who willingly and deliberately violate this policy will be subject to disciplinary action up to and including termination. See Policy and Procedure 300-47: Discipline. 8.3 Staff Responsibilities: 1. Each user is responsible for establishing and maintaining complex passwords that meet City requirements (see the City of Renton’s Password Requirements, Construction and Protection Policy). All users will honor the password procedure and other security mechanisms on the system. Passwords shall not be shared between staff members, contractors, Electronic Date Security Policy & Procedure 100-22 p. 7 vendors, or anyone other than Information Technology staff – and then only for troubleshooting purposes. 2. Automatic Lockout. User accounts will be locked out automatically after five consecutive failed login attempts. The user must contact CTS to have the account re-enabled. 3. When using any computer staff must login using their own user account. Computers shared by multiple users are NOT an exception. Staff must log off shared computers whenever they are not actively using them. 4. Screen savers should be enabled, and the password protection feature turned on, after a 30-minute period of no activity. Once the screen saver is activated, a password is necessary to resume the computing session. 5. Staff will not allow any person to access their assigned computer equipment without supervisory authorization to do so. If a user discovers unauthorized use of his/her account, such use must be reported immediately to CTS. 6. All information (data) created by, obtained by, or utilized by system users, in the course of their employment is the exclusive property of the City of Renton. Even when physically able to, users will not access any information other than what they are specifically authorized to access and is necessary for the performance of their assigned duties. Any attempt to access unauthorized systems or data will be subject to disciplinary action up to and including termination. See Policy and Procedure 300-47: Discipline. 7. All users are responsible for installing workstation patches and updates made available or distributed by the Information Technology Division via Software Center. 8. All users will ensure that their files are properly backed up. Users connected to the City of Renton network will maintain files on the network servers, SharePoint, or personal OneDrive. For guidance on where to store which types of files, see the “WhereToStore” one sheet. Servers are backed up on a periodic basis but are not meant to perform file-level restoration and should not be depended on for such (see the Information Technology backup procedures). Users or sites not connected to the City of Renton’s network shall work with Information Technology to implement a backup strategy that meets the backup policy requirements. All staff shall follow records retention policies as established for their department. Electronic Date Security Policy & Procedure 100-22 p. 8 9. Personal software or devices may not be loaded or attached to any City- owned equipment without authorization by the department administrator and the Information Technology Division. Personal software and devices include, but are not limited to, screen savers, PCs, printers, scanners, remote connections, and wireless or wired devices. 10. Except for assigned mobile technology (laptops, tablets, cellphones, headsets, etc.), computer equipment will not be removed from the City of Renton premises without the express approval of Information Technology. Any assigned mobile technology shall be used only for City business, except for allowed, limited personal use per subsection 12.a of this policy. 11. Computer technology and associated devices are provided for business use by staff. However, some “occasional but limited” personal use of equipment/devices covered by this policy may be permitted (see section 8.3, subsection 13 below). 12. “Occasional but limited” use is permitted. Examples of “occasional but limited" use include: a) Use of e-mail (or phone) during breaks to confirm that children have arrived home safely from school; b) Wishing a “happy birthday” or advising of an “agency” social event over email; c) Advising employees of recreation community center activities or opportunities; d) Use of the Internet to retrieve general information during non- working time (i.e., reading the newspaper on-line). e) A city officer or employee may use city resources for wellness or combined fund drive activities as long as use conforms with this subsection or as otherwise authorized in city policy and rule. 13. Whenever possible, all mobile technology will be maintained under the direct supervision of the user to whom it is issued. Equipment must never be left unattended in unsecured locations such as airports, hotel lobbies, or the seat of an unattended vehicle). 14. The loss of any computer equipment, or any City of Renton data, shall be immediately reported to CTS. Client Technology Services will immediately ensure that all possible steps are taken to protect the City of Renton from further information loss.