HomeMy WebLinkAbout250-16s-
POLICY & PROCEDURE
Subject:
ELECTRONIC DATA SECURITY Index: Finance & Information Services
Number: 250-16
Effective Date Supersedes Page Staff Contact Approved By
10/23/2006 N/A 1 of 7 Mike Bailey e N''-'--
J
1.0 PURPOSE:
The purpose of this policy is to establish standards to maintain system security, data
availability, data integrity, and privacy by preventing unauthorized access to data and by
preventing misuse of, damage to, or loss of data.
2.0 ORGANIZATIONS AFFECTED:
All City departments/divisions
3.0 REFERENCES:
Policy and Procedure 300-19: Employee Termination and Out-Process
Policy and Procedure 300-47: Discipline
Department of Justice, FBI, Criminal Justice Information Services' Security Policy
Information Services Procedures Manual
4.0 POLICY:
It is the policy of the City of Renton to safeguard its electronic data store by limiting
computer system access to those who have a legitimate, job related reason to have such
access. Data protection will be provided by following computer security industry best
practices using a variety of tools, techniques, and systems to protect the City's data. The
Information Services (IS) Division of the Finance and Information Services Department is
assigned the responsibility of securing the City's data systems.
5.0 DEFINITIONS:
5.1 Computef•Svstems Computer systems for purposes of this policy refer to computers,
routers, switches, hubs, equipment racks/enclosures, wiring access points, and any
other equipment reasonably attached to the City's telecommunications network.
5.2 Iytforrrzation Seyvices Procedures Mnnzral The Information Services Procedures
Manual is maintained in the offices of Information Services, and it is available for
staff review by visiting the Information Services' office. This manual details a
number of procedures from daily backup operations, phone operations, computer
replacement, etc.
250-16
Electronic Data Security
Page 2 of 7
5.3 Onlir e Help Desk The Online Help Desk is the IS Help Desk resource located on
the side menu of the staff portal, RentonNet. The staff portal is available for all
employees of the City of Renton.
5.4 Securitv For the purposes of this policy, security is defined as the ability to protect
the integrity, availability, and confidentiality of electronic data held by the City of
Renton and to protect the City's electronic assets from unauthorized use or
modification and accidental or intentional damage/destruction. It includes the
security of Information Services' facilities, off-site data storage, computing,
telecommunications, application related services purchased from other government
agencies or commercial concerns, and Internet-related applications and connectivity.
5.5 Seczcf•itv Breach Any known or suspected staff access to data, networks, or
applications for which they have not been authorized.
5.6 Ser sitive Areas/Svstems The City of Renton's sensitive areas are those areas within
City facilities where physical access to criminal, court, medical, personnel, or health
data is present. For example, this would include telecommunication rooms,
computer rooms, police and fire department offices, and the court. Sensitive systems
would be those computing systems with access to criminal, court, medical,
personnel, or health data.
5.7 Sta City of Renton employees.
5.8 Trz sted Network The inside computer system network used by employees, protected
from outside intrusion.
5.9 User Datcz Data stored on staff I:\ drive, email, and/or data defined as such by the
City's retention schedule. All electronic data created, stored, or transmitted from the
City's computing systems is owned by the City.
6.0 PROCEDURE:
6.1 Information Services' Responsibilities:
6.1.1 Create detailed security procedures for supporting industry best
practices/standards and adoption of higher agency security standards.
6.1.2 Ensure, oversee and test compliance of the City's network systems
architecture with security standards and procedures. This requires testing
network or system security through a variety of security tools and outside
vendors.
6.1.3 Limit access to the City's trusted network and data to authorized users
through the use of system protection tools, complex password enforcement,
appropriate firewalling techniques, and access blocking technology.
250-16
Electronic Data Security
Page 3 of 7
6.1.4 Authorize all access to the City's computer systems. Additional
authorization by the department and Information Services is needed for
remote system access. Information Services will grant and remove access
rights to the City's computer systems per written request by the department
administrator, or designee, unless a violation of this policy has occurred.
Remote access procedures for vendors in support of City-owned
applications will be coordinated by the application owner department with
Information Services. System access will be provided to vendors of specific
applications and will be made available on an as-needed basis, as
determined by the application owner.
6.1.5 Ensure that password changes are made periodically using the system's
automated password management tools. More detailed information
regarding password reset and choosing a complex password is available on
the staff portal Online Help Desk page.
6.1.6 Offer training for system users in adopted security standards including
password management.
6.1.7 Install anti-virus/spam blocking software system-wide. These systems are
to remain activated at all times. Information Services will ensure that these
systems remain updated as appropriate.
6.1.8 Ensure that all security updates for operating systems, web browsers, server
applications, and email clients are installed to current levels on City-owned
systems. Information Services shall verify all updates for network
compatibility, authenticity, and applicability.
6.1.9 Ensure that all user accounts are locked out automatically after consecutive
failed login attempts. The user must contact the IS Help Desk to have the
account enabled.
6.1.10 Perform system and data backups according to the Information Services
backup procedures. These procedures are available for review in the
Information Services' office.
6.1.11 Maintain a record of all computers and related equipment within the City,
which record includes make, model, serial number, purchase information,
and other data as required. Information Services uses this record to identify
equipment, verify its location, and to identify equipment that needs to be
upgraded.
6.1.12 Ensure removal of all sensitive and/or confidential information from the
hard drive of any computer to be re-tasked, discarded or sent out of house
for repair.
250-16
Electronic Data Security
Page 4 of 7
6.1.13 Investigate system intrusions and other information security incidents in
coordination with the Police Department.
6.1.14 Report all security breaches under this policy to the appropriate state and
federal agencies.
6.1.15 Maintain strict access control of all sensitive areas, including
telecommunications/computer rooms that contain the City's computing
systems and physical access points. Unescorted access to these facilities
shall not be permitted for contractors or employees that have not
successfully completed a fingerprint background check by the Renton Police
Department.
6.1.16 Require, when necessary, additional security such as personal digital
certificates, key fobs, token devices, smart cards, other physical devices or
biometric system for internal or external City system access ar access to
outside agency systems.
6.1.17 Perform all installation and relocation of computing systems.
6.2 Department/Division Mana ement Responsibilities:
6.2.1 Implement automated compliance checking to ensure that organizational
units are operating in a manner consistent with this policy and established
password criteria guidelines. Password information is available at the staff
portal under the Online Help Desk.
6.2.2 Ensure staff training is available regarding security procedures and
standards.
6.2.3 Ensure employees are properly trained in the use of software and hardware
to prevent or reduce accidental data loss or corruption.
6.2.4 Ensure that employees requiring physical access to the City's
telecommunications/computer rooms (which rooms contain the City's
computing systems and physical access points [sensitive areas]),
successfully pass a fingerprint background check by the Renton Police
Department as a condition of employment. Sensitive areas also include
offices where computing systems have access to confidential criminal,
medical, or health sensitive data. Verification of background checks
performed by the Renton Police Department shall be maintained in the
employee's personnel file. Background checks shall be completed within
30 days of initial employment; or, in the case of a contractor, prior to
commencement of their work. Only individuals that meet federal standards
250-16
Electronic Data Security
Page 5 of 7
will be permitted access to sensitive areas/systems in compliance with the
standards set by the Criminal Justice Information Services Division, Federal
Bureau of Investigation, US Department of Justice Security Policy.
6.2.5 Ensure that employee user data is properly dealt with, consistent with the
records retentions policies, when an employee leaves the City. This
includes, but is not limited to, regular employees, non-regular and project
employees, interns, volunteers, and contractors.
6.2.6 Inform Information Services, in writing, of the system access rights that are
needed by a user to complete their specific job tasks. Immediately inform
Information Services, in writing, of user system access rights that change or
are no longer needed for the job tasks, including staff resignation or
termination. Each department shall determine what access is required for
each staff inember accessing the City's computer systems. Information
Services will establish access based on a completed New
Employee/Consultant/Contractor Change Request Form.
6.2.7 Assume ownership responsibility for their applications and application
access rights by staff. Information Services will assist the department in the
development of procedures to document such access, but this access will be
managed by the application owner.
6.2.8 Ensure appropriate security measures are included when purchasing or
developing transactional Internet-based applications, including but not
limited to electronic commerce (e-commerce).
6.2.9 Report any security breach immediately, such as unauthorized access to
data, to the IS Help Desk in writing. Such notification may be in the form
of an email marked urgent or memo from the department. Information
Services will review the breach and make appropriate recommendations to
the department for resolution. These communications shall be considered
confidential and will only be made available to the City's networking staff
and City management; and, if necessary, the appropriate legal authorities.
6.2.10 Ensure all supervisors take the appropriate action to address violations of
information security requirements. Users who willingly and deliberately
violate this policy will be subject to disciplinary action up to and including
termination. See Policy and Procedure 300-47: Discipline.
6.3 Staff Responsibilities:
6.3.1 All staff, contractors, interns, etc., wishing to use the City computer systems
must sign a compliance statement prior to being issued a user account.
Where users already have user accounts, such signatures must be obtained
as part of the annual review process. A signature on this compliance
250-16
Electronic Data Security
Page 6 of 7
statement indicates the involved user understands and agrees to abide by
City policies and procedures related to the City's computing systems,
including this policy and procedure.
6.3.2 Each user is responsible for establishing and maintaining complex
passwords that meet City requirements (see the City of Renton's Password
Criteria on the staff portal Online Help Desk). All users will honor the
password procedure and other security mechanisms on the system.
Passwords shall not be shared between staff inembers, contractors, vendors,
or anyone other than Information Services staff — and then only for
troubleshooting purposes.
6.3.3 Automatic Intruder Lockout. User accounts will be locked out
automatically after three consecutive failed login attempts. The user must
contact the IS Help Desk to have the account enabled.
6.3.4 When using any computer staff must login using their own user account.
Computers shared by multiple users are NOT an exception. Staff must log
off shared computers whenever they are not actively using them.
6.3.5 Screen savers should be enabled, and the password protection feature turned
on, after a 30-minute period of no activity. Once the screen saver is
activated, a password is necessary to resume the computing session.
6.3.6 Staff will not allow any person to access their assigned computer equipment
without supervisory authorization to do so. If a user discovers unauthorized
use of his/her account, such use must be reported immediately to the IS
Help Desk.
6.3.7 All information (data) created by, obtained by, or utilized by system users,
in the course of their employment is the exclusive property of the City of
Renton. Even when physically able to, users will not access any
information other than what they are specifically authorized to access and is
necessary for the performance of their assigned duties. Any attempt to
access unauthorized systems or data will be subject to disciplinary action up
to and including ternlination. See Policy and Procedure 300-47: Discipline.
6.3.8 All users are responsible for installing workstation patches and updates
made available or distributed by the Information Services Division.
6.3.9 Anti-virus software is to remain activated at all times and users are
responsible for virus checking all downloaded files and attachments. Users
are responsible to immediately notify the IS Help Desk if they suspect a
virus has entered their computer through email or via external disc, etc.
250-16
Electronic Data Security
Page 7 of 7
6.3.10 All users will ensure that their computer files are properly backed up. Users
connected to the City of Renton network will maintain files on the network
servers. These servers are backed up on a periodic basis (see the
Information Services backup procedures). Users or sites not connected to
the City of Renton's network shall work with Information Services to
implement a backup strategy that meets the backup policy requirements.
Employees choosing to store records other than on network servers shall
follow records retention policies as established for their department.
6.3.11 Personal software or devices may not be loaded or attached to any City-
owned equipment without authorization by the department administrator
and the Information Services Division. Personal software and devices
include, but are not limited to, screen savers, PDAs, PCs, hubs, printers,
scanners, remote connections, and wireless or wired devices.
6.3.12 Computer equipment will not be removed from the City of Renton premises
without the express approval of Information Services for any purposes and
only for City business. Mobile computers leaving the home site shall not
contain any confidential, criminal, medical, court, personal, or health
sensitive data.
6.3.13 Whenever possible, all portable computing equipment (laptop computers,
PDA's, display projectors, screens, remote controls, etc.) will be maintained
under the direct supervision of the user to whom it is issued. The equipment
must never be left unattended in locations such as airports, hotel lobbies, or
sitting on the seat of an unattended vehicle). Wherever practical, the
computer equipment shall be secured with supplied security device(s).
6.3.14 The loss of any computer equipment, or any City of Renton data, shall be
immediately reported to the IS Help Desk. The Help Desk will immediately
ensure that all possible steps are taken to protect the City of Renton from
further information loss.
7.0 ADHERENCE TO THIS POLICY:
7.1 It is the responsibility of the department administrator to monitor and manage
adherence to this policy.
7.1.1 Department administrators, or their designee, shall monitor employee
conduct to assure compliance with this policy.
7.1.2 Information Services staff will assist with policy compliance matters as
needed.