Information Systems Department

9-2 Information Technology Use and Security Policy Manual

Return to Administrative Policy Manual

Approved by: Board of Supervisors of the County of Sonoma (“County”), and the Boards of Directors of the Northern Sonoma County Air Pollution Control District, the Russian River County Sanitation District, Sonoma Valley County Sanitation District, Occidental County Sanitation District, South Park County Sanitation District, and the Board of Directors of the Sonoma County Agricultural Preservation and Open Space District (collectively referred to hereinafter as “Special Districts”), and the Sonoma County Water Agency (“Agency”), and the Board of Commissioners of the Sonoma County Community Development Commission (“Commission”).  The County, Special Districts, Agency and Commission are collectively referred to herein as “Local Agencies” or singularly as “Local Agency.”

Table of Contents

Purpose

Scope

Maintenance

Exceptions

Adverse Action

Policy

  1. Introduction
  2. Roles and Responsibilities
    1. Users
    2. Local Agency Department Head/General Manager
    3. Information Security Representative
    4. Local Information Services Providers
    5. Chief Information Security Officer
    6. Information Security Steering Committee
    7. HIPAA County Privacy Officer
    8. Data Owner
    9. Data Steward
    10. Data Custodian
  3. Information Technology and Security Governance Policy
  4. Use of Local Agency IT Resources and Data Policy
    1. General Use and Ownership
    2. IT Resource Monitoring
    3. User Access Monitoring
    4. No Expectation of Privacy
    5. Public Records Act Compliance and Records Retention
    6. Use of Sensitive Information
    7. User Accounts and Passwords
    8. Use of Electronic Messaging
    9. Use of the Internet
    10. Personal Use/Union Use
    11. Use of Authorized Software
    12. Use of Authorized Devices
    13. Unacceptable Use
  5. Data Classification Policy
    1. Data Categories
    2. Data Classification Assignment
    3. Security Requirements
  6. Information Security Incident Management Policy
    1. Information Security Incident Reporting
    2. Information Security Incident Response
  7. Mobile Computing
    1. Personally Owned Devices
    2. Local Agency Provided Devices
  8. Security Awareness Training and Education Policy
    1. Security Awareness Training

Acknowledgment

Appendix A - Guidelines

  1. Data Classification

Appendix B – Information Security Laws and Standards

  1. Federal Laws
    1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
    2. Health Information Technology for Economic and Clinical Health (HITECH) Act
  2. State of California Laws
    1. Data Breach Notification Law (CA Civil Code 1798.29)
    2. California Public Records Act (Government Code 6250-6276.48)
    3. Social Security Numbers Protection (CA Civil Code 1798.85-1798.89)
  3. Standards
    1. Payment Card Industry Data Security Standard (PCS DSS)
    2. Federal Bureau of Investigation Criminal Justice Information Services Standard (FBI CJIS)
    3. International Organization for Standardization (ISO) 27002

Appendix C – Security Policy/Standard Waiver

Information Technology and Security Terminology Glossary

Development and Revision History