Skip to Content

9-2 Information Technology Use and Security Policy Manual - Appendix A: Guidelines

Information Systems Department

Return to IT Use and Security Policy Manual Table of Contents

Approved by: Board of Supervisors of the County of Sonoma (“County”), and the Boards of Directors of the Northern Sonoma County Air Pollution Control District, the Russian River County Sanitation District, Sonoma Valley County Sanitation District, Occidental County Sanitation District, South Park County Sanitation District, and the Board of Directors of the Sonoma County Agricultural Preservation and Open Space District (collectively referred to hereinafter as “Special Districts”), and the Sonoma County Water Agency (“Agency”), and the Board of Commissioners of the Sonoma County Community Development Commission (“Commission”). The County, Special Districts, Agency and Commission are collectively referred to herein as “Local Agencies” or singularly as “Local Agency.”

Read next: Appendix B – Information Security Laws and Standards

What's on this Page

  1. Data Classification

    These Guidelines provide examples to assign the appropriate data classification.

    The Data Classification policy of this manual directs Local Agencies to identify and classify Local Agency data.

Confidential (highest level of sensitivity)

Description

Information protected from use and/or disclosure by law, regulation or standard, and for which heightened security measures are required.

Data Breach notification requirements

Yes. Notification required for unencrypted data. Mandated reporting and notification are not required for encrypted data. 

Reputational Risk

High

Disclosure Requirements

Confidential data must not be disclosed without proper prior consent from the Data Owner and/or County Counsel. To prevent inappropriate disclosure; removal, redaction, de-identification or masking of Confidential data may be required. 

Common Data Elements (not all-inclusive) 

Personal Information as defined by California Civil Code Section 1798.82:

  • Social Security Number
  • Driver’s license number
  • California Identification (ID) number
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Medical information, including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
  • Health insurance information

Cardholder Information

Credit card number/primary account number and one or more of the following:

  • Cardholder name
  • Security Code
  • Expiration date

Peace Officer Bill of Rights (California Government Code 3300-3313)

A peace officer’s:

  • Personnel records
  • Home address
  • Phone number
  • Date of birth
  • Photograph 

Back to top

Restricted (moderate level of sensitivity)

Description

Information maintained that requires special precautions to protect from unauthorized use, access, disclosure, modification, loss, or deletion

Data Breach Notification Requirements

No data breach notification requirements for Restricted data.

Reputational Risk

Medium

Disclosure Requirements

Restricted data must not be made available for general public access without the consent of the Data Owner and/or County Counsel. To prevent inappropriate disclosure; removal, redaction, or masking of Restricted data may be required.

Common Data Elements (not all-inclusive)

Network/Systems Data

 

  • Event logs
  • Risk assessments
  • Disaster recovery plans
  • Configurations

 

Employee Data

 

  • Employee ID numbers
  • Employee applications

 

Back to top

Public (low level of sensitivity)

Description

Information that is available for general access without review by the Data Owner and/or County Counsel.

Data Breach notification requirements

No data breach notification requirements for Public data.

Reputational Risk

Low

Disclosure Requirements

Subject to Local Agency policies, Public data may be disclosed without review by the Data Owner or County Counsel

Common Data Elements (not all-inclusive)

 

Business Data

  • Job postings
  • Board Agendas and Meeting Minutes
  • Maps
  • Budget
  • Administrative Policies

Employment Data

  • Salary
  • Job Classification
  • Memorandum of Understanding

 

Back to top