9-2 Information Technology Use and Security Policy Manual - Development and Revision History
Return to IT Use and Security Policy Manual Table of Contents
Approved by: Board of Supervisors of the County of Sonoma (“County”), and the Boards of Directors of the Northern Sonoma County Air Pollution Control District, the Russian River County Sanitation District, Sonoma Valley County Sanitation District, Occidental County Sanitation District, South Park County Sanitation District, and the Board of Directors of the Sonoma County Agricultural Preservation and Open Space District (collectively referred to hereinafter as “Special Districts”), and the Sonoma County Water Agency (“Agency”), and the Board of Commissioners of the Sonoma County Community Development Commission (“Commission”). The County, Special Districts, Agency and Commission are collectively referred to herein as “Local Agencies” or singularly as “Local Agency.”
Version 1.0 - March 2014
All pages - Revised policy manual entitled IT Use and Security Policy Manual
Version 2.0 - January 2016
Page 31 - Added strong password and high risk application in the glossary
Version 3.0 - March 25, 2016
Page 31 - Revised strong password
Page 19 - Added Mobile Computing for personally owned Devices; Grammatical changes
Page 26 - Revised URL links for Federal, State and local laws; Removed “H” Local Information Services Providers. This is a duplicate of “D”; Removed “I” Users. This was a duplicate of “A” users.
Page 16 - K: Personal Use/Union Use: Added Recognized Employee Unions; Added Personally owned device in glossary
Version 4.0 - April 1, 2016
TOC - Verified removal of duplicate “users” section
Page 19 - Updated Table of contents to include Appendix C; Removed “when technically possible language under VII.G.2; Removed “when technically possible
Version 5.0 - April 7, 2016
Page 19 - Mobile Computing; A2. Revised Mobile Computing to “Users refusing to sign the Personally Owned Mobile Device agreement will not result in disciplinary action.”
Version 6.0 - May 13, 2016
Page 19 - Removed Appendix C “Personally owned Mobile Device agreement”. Moved language to Mobile Computing section to include user friendly language
Version 7.0 - June 10, 2016
Page 19 - Minor proposed updates in the mobile computing section.
Version 8.0 - June 29, 2016
Page 25 - Updated security awareness training section item 3 to include regular security awareness training and upon a change a change in their access.
Version 9.0 - August 18, 2016
Page 18 - Removed Unacceptable use #2 and added specific statements of unacceptable use from the current computer use policy
Version 10.0 - August 18, 2016
Page 19 - A. Personally Owned Mobile Device; Revised Item #1 Expectation of Privacy to say : “Users cannot be required to use their personally owned mobile devices to work on or access Local Agency IT Resources”; Item #3”: Modified sentence to “view” Users should also be aware that they can view but not store confidential or restricted data on their personally owned device; Item 9: Removed: Any changes in services must be reported to their supervisor or manager.
Version 11.0 - August 24, 2016
Page 18 - Unacceptable Use: Feedback that the phrase “which the Local Agency may deem inappropriate” was too broad; added specific language from current Computer Use Policy, as discussed.
Version 12.0 - September 29, 2016
Page 8 - Added under Users: Complying with the Mobile Computing section of this policy if using a mobile device to work on or access Local Agency IT resources or data.
Page 14 - Use of Electronic Messaging; Enhanced definition of personal messaging service. Underlined the statement about law enforcement: "Law enforcement and/or other Local Agency workforce may be exempted from these restrictions during the performance of legitimate job responsibilities."
Page 19-20 - Updated Personally Owned Device sub-section of the Mobile Computing Section: 11.Updated wording that the Local Agency will attempt to remotely wipe data from their personally owned device if the device is lost or stolen; 13. Added that unattended mobile devices must be physically stored in a safe and secure manner.
Page 23 - Added statement under the acknowledgment form agreeing to comply with personally owned device portion of the policy: "I understand that if I voluntarily use my personally owned device to access Local Agency IT resources and data, I must comply with the Personally Owned Devices sub-section of the Mobile Computing section of this policy."
Version 13.0 - November 16, 2016
Page 14 - Use of Local Agency IT Resources and Data Policy– Use of electronic messaging: Added for clarity on page 15: “social media accounts or email accounts ( e.g. texting, Twitter, Facebook Messenger,Yahoo,Gmail).”
Page 19 - Mobile Computing (Personally Owned Devices); Broke out the expectation of privacy into two paragraphs (#1 & #2) for readability: The County of Sonoma will only request access to the personally-owned device and password in order to implement security controls; to respond to litigation hold (aka e-discovery) requests arising out of administrative, civil, or criminal directives, Public Record Act Requests, and subpoenas; or as otherwise required or permitted by applicable state or federal laws. Such access will be performed by an authorized Local Information Service Provider technician or designee using a legitimate software process; Added in “when technically feasible” under #4.
Page 14-15 - Removed “Users should not use a personal email account (e.g. yahoo.com,gmail.com) to conduct Local Agency business on their personally owned mobile device.” This is already addressed on Page 15 (Use of Electronic Messaging). Added in a sentence on Physical Protection: “Unattended mobile devices must be physically stored in a safe and secured manner.”
Page 23 - Added this wording to the Acknowledgment, “I understand that If I voluntarily use my personally owned device to access Local Agency IT resources and data that I will comply with the personally owned section of the Mobile Computing Policy section on page 19.”