9-2 Information Technology Use and Security Policy Manual - Chapter II: Roles and Responsibilities
Approved by: Board of Supervisors of the County of Sonoma (“County”), and the Boards of Directors of the Northern Sonoma County Air Pollution Control District, the Russian River County Sanitation District, Sonoma Valley County Sanitation District, Occidental County Sanitation District, South Park County Sanitation District, and the Board of Directors of the Sonoma County Agricultural Preservation and Open Space District (collectively referred to hereinafter as “Special Districts”), and the Sonoma County Water Agency (“Agency”), and the Board of Commissioners of the Sonoma County Community Development Commission (“Commission”). The County, Special Districts, Agency and Commission are collectively referred to herein as “Local Agencies” or singularly as “Local Agency.”
What's on this Page
Users are all workforce members (employees or any other individual performing work on behalf of, or with approval of Local Agencies) authorized to access Local Agency IT resources and are responsible for:
- Users are all workforce members (employees or any other individual performing work on behalf of, or with approval of Local Agencies) authorized to access Local Agency IT resources and are responsible for:
- Complying with County Information Technology and Security policies;
- Maintaining the security of Local Agency IT resources and data associated with their role(s) as defined in this Policy manual;
- Storing original Local Agency data on the Local Agency network to ensure compliance with County or Local Agency records retention policy,
Sensitive information against loss, unauthorized use, access, or disclosure, by
- Using Sensitive information only for the stated legal and/or business purpose.
- Disclosing Sensitive information as permitted by law or with the express consent of the Data Owner.
- Not making copies of Sensitive information except as required in the performance of assigned duties.
- Keeping Sensitive information out of plain sight.
- Not sharing User accounts and passwords;
- Creating, changing and storing passwords in accordance with established policies and standards;
- Locking or logging off unattended workstations.
- Using only assigned Local Agency electronic messaging accounts, i.e., e-mail, to conduct Local Agency business communication, and refraining from conducting Local Agency business with personal electronic messaging accounts (e.g., Yahoo, Gmail). Law enforcement and/or other Local Agency workforce may be exempted from these restrictions during the performance of legitimate job responsibilities;
- Not violating copyright law, and conforming to software licensing restrictions by:
- Only using software that has been installed by their Local Information Service Provider or other authorized individual.
- Not engaging in any use of Local Agency IT resources that violates federal, state, local laws, Local Agency or County policy;
- Reporting any known or suspected information security incident to their manager/supervisor, Information Security Representative or Local Information Service Provider;
- Compliance with VII. Mobile Computing Policy if using a mobile device to work on or access Local Agency IT resources or data.
B. Local Agency Department Head/General Manager
Local Agency Department Head/General Manager and/or Designee are responsible for:
- Enforcing this Policy manual within their Local Agency;
- Ensuring all Users of Local Agency IT resources and data are made aware of County information technology and security policies and that compliance is mandatory;
- Ensuring all Users receive education regarding their security responsibilities before accessing Local Agency IT resources and data;
supplemental information technology and security
policies, standards, procedures, or guidelines as needed for their business
purposes, provided they are not less restrictive than County policies. Prior to final approval Local Agency Department
Head/General Manager and/or Designee are
- Providing supplements to Human Resources for review.
- Providing notice to employee organizations regarding any proposed supplements; and
- Providing supplements to Local Agency’s Local Information Service Provider to review for consistency with County/Local Agency IT security policies.
- Provide training in support of established procedures and guidelines
- Obtaining a signed acknowledgment from Users that they have had an opportunity to read and will comply with this Policy manual before accessing Local Agency IT resources and data;
- Designating or serving as an information security representative; and
- Submitting to the ISSC any needed requests for exceptions to this Policy manual.
C. Information Security Representative
The Information Security Representative is designated by the Local Agency Department Head/General Manager to coordinate information security within their Local Agency and is responsible for:
- Assisting in the development of any Local Agency information technology and security policy;
- Reviewing Local Agency information technology and security policies for compliance with County policies;
- Representing the Local Agency’s information security concerns countywide.
D. Local Information Services Providers
The County Information Systems Department, the Human Services Department Information Integration Division, the Sonoma County Sheriff's Office Technical Services Bureau, and the County Water Agency Computer Application and Instrumentation Support Section serve as Local Information Service Providers and are responsible for:
- Providing network infrastructure, network access, data storage and e-mail services to Local Agencies;
- Maintaining an inventory of Local Agency IT resources;
- Configuring Local Agency IT resources in accordance with County information technology and security policies and standards;
- Implementing and maintaining technology-based services that adhere to the intent and purpose of information technology and security policies, standards and guidelines;
- Investigation, remediation, and documentation of information security incidents; and
- Establishing and implementing standards, procedures and guidelines as needed for this Policy manual.
E. Chief Information Security Officer
The County Information Systems Director serves as the Chief Information Security Officer and is responsible for:
and managing the County Information Technology and Security Program, this
- Developing and maintaining the County information security strategy;
- Providing information security related technical, regulatory and policy leadership;
- Facilitating the implementation of County information technology and security policies; and
- Approving or denying policy waivers.
F. Information Security Steering Committee
The Information Security Steering Committee (ISSC) is the coordinating body for all County information security-related activities and is composed of the County Privacy Officer, Information Security Officer, and individuals designated by the IT Governance Council. The Information Security Steering Committee is responsible for:
- Developing and proposing County information technology and security policies, standards, and guidelines;
- Reviewing County information technology security policies annually and policy waivers.
- Reviewing Local Agency policy exception requests and making recommendations for CISO approval or denial;
- Maintaining documentation of policy waivers;
- As requested, reviewing Local Agency information technology and security policies for compliance with County policies; and
- Identifying and recommending industry best practices for information security.
G. HIPAA County Privacy Officer
The HIPAA County Privacy Officer is responsible for:
- Making required publication, consumer notice and regulatory filing, in response to data breaches involving Electronic Protected Health Information (ePHI) and/or personal information.
H. Data Owner
The Data Owner is the Local Agency Department Head/General Manager or other individual authorized by law, regulation or policy to collect and manage the data that supports their business operations and is responsible for:
- Identifying applicable law, regulations, or standards that contain information security requirements for the data they own;
- Classification of Local Agency data and IT resources they own based upon law, regulation, common business practice, liability or reputational factors;
- Establishing as needed, Local Agency policies and procedures for the data and IT resources they own;
- Responsible for ensuring mitigation of known or suspected information security incidents, and notification to individuals or agencies in the event of a data breach involving unencrypted personal information; and
- Designating or serving as the Data Steward.
I. Data Steward
The Data Steward is designated by the Data Owner to protect the confidentiality, integrity, and availability of the data that supports their business operations and is responsible for:
- Assisting the Data Owner in the classification of Local Agency data;
- Implementing protection requirements for the data and IT resources entrusted to their stewardship; and
- Authorizing access to Local Agency data in accordance with the classification of the data.
The Local Information Service Provider serves as the Data Custodian and is responsible for:
- Implementing the necessary safeguards to protect Local Agency data and IT resources at the level classified by the Data Owner or the Data Steward;
- Granting access privileges as authorized by the Data Owner or Data Steward;
- Complying with any additional security policies and procedures established by the Data Owner and/or Data Steward;
- Advising the Data Owner and/or Data Steward of vulnerabilities that may present a threat to their Local Agency data and of specific means of protecting that data; and
- Notifying the Data Owner of any known or suspected information security incident.