Skip to Content

9-2 Information Technology Use and Security Policy Manual - Chapter VI: Information Security Incident Management Policy

Information Systems Department

Return to IT Use and Security Policy Manual Table of Contents

Approved by: Board of Supervisors of the County of Sonoma (“County”), and the Boards of Directors of the Northern Sonoma County Air Pollution Control District, the Russian River County Sanitation District, Sonoma Valley County Sanitation District, Occidental County Sanitation District, South Park County Sanitation District, and the Board of Directors of the Sonoma County Agricultural Preservation and Open Space District (collectively referred to hereinafter as “Special Districts”), and the Sonoma County Water Agency (“Agency”), and the Board of Commissioners of the Sonoma County Community Development Commission (“Commission”). The County, Special Districts, Agency and Commission are collectively referred to herein as “Local Agencies” or singularly as “Local Agency.”

Read next: VII. Mobile Computing

What's on this Page

This Policy establishes requirements for reporting and responding to information security events and vulnerabilities.

  1. Information Security Incident Reporting
  2. Information Security Incident Response

A. Information Security Incident Reporting

  1. Users must immediately report any known or suspected Information Security Incident (e.g., virus/worm attacks, actual or suspected loss or disclosure of confidential data) or system vulnerability to their manager/supervisor, Information Security Representative or Local Information Services Provider. Local Agencies must ensure that their Local Information Service Provider is informed.

    The above requirement does not authorize or condone an intentional search for system weaknesses and/or malfunctions.

Back to top

B. Information Security Incident Response

Local Information Service Providers must have a current documented working plan for reporting on, responding to, recovering from and preventing recurrence of information security incidents. The plan must be labeled Confidential and distributed on a need-to-know-basis. 

The plan must incorporate the following practices:

  1. Collection and protection of evidence, to include a chain-of-custody;
  2. Documentation of information security incidents;
  3. Implementation of remediation strategies; 
  4. Notification to the County Privacy Officer of information security incidents involving actual or suspected loss or disclosure of electronic protected health information (ePHI);
  5. Notification to the Data Owner of information security incidents involving actual or suspected loss or disclosure of personal information;
  6. Reporting to the Chief Information Security Officer (CISO) and or authorized designee and
  7. Application of lessons learned from incidents.

Back to top