250-16
ELECTRONIC DATA SECURITY

POLICY & PROCEDURE

Subject:

ELECTRONIC DATA SECURITY

Index: Finance & Information Services

Number:    250-16

Effective Date

10/23/2006

Supersedes

N/A

Page

1 of 7

Staff Contact

Mike Bailey

Approved By

Kathy Keolker

1.0 PURPOSE:

The purpose of this policy is to establish standards to maintain system security, data availability, data integrity, and privacy by preventing unauthorized access to data and by preventing misuse of, damage to, or loss of data.

2.0 ORGANIZATIONS AFFECTED:

All City departments/divisions

3.0 REFERENCES:

Policy and Procedure 300-19: Employee Termination and Out-Process

Policy and Procedure 300-47: Discipline

Department of Justice, FBI, Criminal Justice Information Services’ Security Policy

Information Services Procedures Manual

4.0 POLICY:

It is the policy of the City of Renton to safeguard its electronic data store by limiting computer system access to those who have a legitimate, job related reason to have such access. Data protection will be provided by following computer security industry best practices using a variety of tools, techniques, and systems to protect the City’s data. The Information Services (IS) Division of the Finance and Information Services Department is assigned the responsibility of securing the City’s data systems.

5.0 DEFINITIONS:

5.1    Computer Systems Computer systems for purposes of this policy refer to computers, routers, switches, hubs, equipment racks/enclosures, wiring access points, and any other equipment reasonably attached to the City’s telecommunications network.

5.2    Information Services Procedures Manual The Information Services Procedures Manual is maintained in the offices of Information Services, and it is available for staff review by visiting the Information Services' office. This manual details a number of procedures from daily backup operations, phone operations, computer replacement, etc.

5.3    Online Help Desk The Online Help Desk is the IS Help Desk resource located on the side menu of the staff portal, RentonNet. The staff portal is available for all employees of the City of Renton.

5.4    Security For the purposes of this policy, security is defined as the ability to protect the integrity, availability, and confidentiality of electronic data held by the City of Renton and to protect the City’s electronic assets from unauthorized use or modification and accidental or intentional damage/destruction. It includes the security of Information Services’ facilities, off-site data storage, computing, telecommunications, application related services purchased from other government agencies or commercial concerns, and Internet-related applications and connectivity.

5.5    Security Breach Any known or suspected staff access to data, networks, or applications for which they have not been authorized.

5.6    Sensitive Areas/Systems The City of Renton’s sensitive areas are those areas within City facilities where physical access to criminal, court, medical, personnel, or health data is present. For example, this would include telecommunication rooms, computer rooms, police and fire department offices, and the court. Sensitive systems would be those computing systems with access to criminal, court, medical, personnel, or health data.

5.7    Staff City of Renton employees.

5.8    Trusted Network The inside computer system network used by employees, protected from outside intrusion.

5.9    User Data Data stored on staff I:\drive, email, and/or data defined as such by the City’s retention schedule. All electronic data created, stored, or transmitted from the City’s computing systems is owned by the City.

6.0 PROCEDURE:

6.1    Information Services’ Responsibilities:

6.1.1    Create detailed security procedures for supporting industry best practices/standards and adoption of higher agency security standards.

6.1.2    Ensure, oversee and test compliance of the City’s network systems architecture with security standards and procedures. This requires testing network or system security through a variety of security tools and outside vendors.

6.1.3    Limit access to the City’s trusted network and data to authorized users through the use of system protection tools, complex password enforcement, appropriate firewalling techniques, and access blocking technology.

6.1.4    Authorize all access to the City’s computer systems. Additional authorization by the department and Information Services is needed for remote system access. Information Services will grant and remove access rights to the City’s computer systems per written request by the department administrator, or designee, unless a violation of this policy has occurred. Remote access procedures for vendors in support of City-owned applications will be coordinated by the application owner department with Information Services. System access will be provided to vendors of specific applications and will be made available on an as-needed basis, as determined by the application owner.

6.1.5    Ensure that password changes are made periodically using the system’s automated password management tools. More detailed information regarding password reset and choosing a complex password is available on the staff portal Online Help Desk page.

6.1.6    Offer training for system users in adopted security standards including password management.

6.1.7    Install anti-virus/spam blocking software system-wide. These systems are to remain activated at all times. Information Services will ensure that these systems remain updated as appropriate.

6.1.8    Ensure that all security updates for operating systems, web browsers, server applications, and email clients are installed to current levels on City-owned systems. Information Services shall verify all updates for network compatibility, authenticity, and applicability.

6.1.9    Ensure that all user accounts are locked out automatically after consecutive failed login attempts. The user must contact the IS Help Desk to have the account enabled.

6.1.10    Perform system and data backups according to the Information Services backup procedures. These procedures are available for review in the Information Services’ office.

6.1.11    Maintain a record of all computers and related equipment within the City, which record includes make, model, serial number, purchase information, and other data as required. Information Services uses this record to identify equipment, verify its location, and to identify equipment that needs to be upgraded.

6.1.12    Ensure removal of all sensitive and/or confidential information from the hard drive of any computer to be re-tasked, discarded or sent out of house for repair.

6.1.13    Investigate system intrusions and other information security incidents in coordination with the Police Department.

6.1.14    Report all security breaches under this policy to the appropriate state and federal agencies.

6.1.15    Maintain strict access control of all sensitive areas, including telecommunications/computer rooms that contain the City’s computing systems and physical access points. Unescorted access to these facilities shall not be permitted for contractors or employees that have not successfully completed a fingerprint background check by the Renton Police Department.

6.1.16    Require, when necessary, additional security such as personal digital certificates, key fobs, token devices, smart cards, other physical devices or biometric system for internal or external City system access or access to outside agency systems.

6.1.17    Perform all installation and relocation of computing systems.

6.2    Department/Division Management Responsibilities:

6.2.1    Implement automated compliance checking to ensure that organizational units are operating in a manner consistent with this policy and established password criteria guidelines. Password information is available at the staff portal under the Online Help Desk.

6.2.2    Ensure staff training is available regarding security procedures and standards.

6.2.3    Ensure employees are properly trained in the use of software and hardware to prevent or reduce accidental data loss or corruption.

6.2.4    Ensure that employees requiring physical access to the City’s telecommunications/computer rooms (which rooms contain the City’s computing systems and physical access points [sensitive areas]), successfully pass a fingerprint background check by the Renton Police Department as a condition of employment. Sensitive areas also include offices where computing systems have access to confidential criminal, medical, or health sensitive data. Verification of background checks performed by the Renton Police Department shall be maintained in the employee’s personnel file. Background checks shall be completed within 30 days of initial employment; or, in the case of a contractor, prior to commencement of their work. Only individuals that meet federal standards will be permitted access to sensitive areas/systems in compliance with the standards set by the Criminal Justice Information Services Division, Federal Bureau of Investigation, US Department of Justice Security Policy.

6.2.5    Ensure that employee user data is properly dealt with, consistent with the records retentions policies, when an employee leaves the City. This includes, but is not limited to, regular employees, non-regular and project employees, interns, volunteers, and contractors.

6.2.6    Inform Information Services, in writing, of the system access rights that are needed by a user to complete their specific job tasks. Immediately inform Information Services, in writing, of user system access rights that change or are no longer needed for the job tasks, including staff resignation or termination. Each department shall determine what access is required for each staff member accessing the City’s computer systems. Information Services will establish access based on a completed New Employee/Consultant/Contractor Change Request Form.

6.2.7    Assume ownership responsibility for their applications and application access rights by staff. Information Services will assist the department in the development of procedures to document such access, but this access will be managed by the application owner.

6.2.8    Ensure appropriate security measures are included when purchasing or developing transactional Internet-based applications, including but not limited to electronic commerce (e-commerce).

6.2.9    Report any security breach immediately, such as unauthorized access to data, to the IS Help Desk in writing. Such notification may be in the form of an email marked urgent or memo from the department. Information Services will review the breach and make appropriate recommendations to the department for resolution. These communications shall be considered confidential and will only be made available to the City’s networking staff and City management; and, if necessary, the appropriate legal authorities.

6.2.10    Ensure all supervisors take the appropriate action to address violations of information security requirements. Users who willingly and deliberately violate this policy will be subject to disciplinary action up to and including termination. See Policy and Procedure 300-47: Discipline.

6.3    Staff Responsibilities:

6.3.1    All staff, contractors, interns, etc., wishing to use the City computer systems must sign a compliance statement prior to being issued a user account. Where users already have user accounts, such signatures must be obtained as part of the annual review process. A signature on this compliance statement indicates the involved user understands and agrees to abide by City policies and procedures related to the City’s computing systems, including this policy and procedure.

6.3.2    Each user is responsible for establishing and maintaining complex passwords that meet City requirements (see the City of Renton’s Password Criteria on the staff portal Online Help Desk). All users will honor the password procedure and other security mechanisms on the system. Passwords shall not be shared between staff members, contractors, vendors, or anyone other than Information Services staff – and then only for troubleshooting purposes.

6.3.3    Automatic Intruder Lockout. User accounts will be locked out automatically after three consecutive failed login attempts. The user must contact the IS Help Desk to have the account enabled.

6.3.4    When using any computer staff must login using their own user account. Computers shared by multiple users are NOT an exception. Staff must log off shared computers whenever they are not actively using them.

6.3.5    Screen savers should be enabled, and the password protection feature turned on, after a 30-minute period of no activity. Once the screen saver is activated, a password is necessary to resume the computing session.

6.3.6    Staff will not allow any person to access their assigned computer equipment without supervisory authorization to do so. If a user discovers unauthorized use of his/her account, such use must be reported immediately to the IS Help Desk.

6.3.7    All information (data) created by, obtained by, or utilized by system users, in the course of their employment is the exclusive property of the City of Renton. Even when physically able to, users will not access any information other than what they are specifically authorized to access and is necessary for the performance of their assigned duties. Any attempt to access unauthorized systems or data will be subject to disciplinary action up to and including termination. See Policy and Procedure 300-47: Discipline.

6.3.8    All users are responsible for installing workstation patches and updates made available or distributed by the Information Services Division.

6.3.9    Anti-virus software is to remain activated at all times and users are responsible for virus checking all downloaded files and attachments. Users are responsible to immediately notify the IS Help Desk if they suspect a virus has entered their computer through email or via external disc, etc.

6.3.10    All users will ensure that their computer files are properly backed up. Users connected to the City of Renton network will maintain files on the network servers. These servers are backed up on a periodic basis (see the Information Services backup procedures). Users or sites not connected to the City of Renton’s network shall work with Information Services to implement a backup strategy that meets the backup policy requirements. Employees choosing to store records other than on network servers shall follow records retention policies as established for their department.

6.3.11    Personal software or devices may not be loaded or attached to any City-owned equipment without authorization by the department administrator and the Information Services Division. Personal software and devices include, but are not limited to, screen savers, PDAs, PCs, hubs, printers, scanners, remote connections, and wireless or wired devices.

6.3.12    Computer equipment will not be removed from the City of Renton premises without the express approval of Information Services for any purposes and only for City business. Mobile computers leaving the home site shall not contain any confidential, criminal, medical, court, personal, or health sensitive data.

6.3.13    Whenever possible, all portable computing equipment (laptop computers, PDA’s, display projectors, screens, remote controls, etc.) will be maintained under the direct supervision of the user to whom it is issued. The equipment must never be left unattended in locations such as airports, hotel lobbies, or sitting on the seat of an unattended vehicle). Wherever practical, the computer equipment shall be secured with supplied security device(s).

6.3.14    The loss of any computer equipment, or any City of Renton data, shall be immediately reported to the IS Help Desk. The Help Desk will immediately ensure that all possible steps are taken to protect the City of Renton from further information loss.

7.0 ADHERENCE TO THIS POLICY:

7.1    It is the responsibility of the department administrator to monitor and manage adherence to this policy.

7.1.1    Department administrators, or their designee, shall monitor employee conduct to assure compliance with this policy.

7.1.2    Information Services staff will assist with policy compliance matters as needed.