Monterey County

Information Technology Policies

 

Section: 6.0
Subject: Information Technology Security Policy
Date Issued: September 10, 2002
Issued by: Director of Information Technology, as recommended by the Department Head Information Technology Steering Committee
Applies to: All Officers and employees

  

PURPOSE

To establish the roles, responsibilities, and guidelines to protect and secure County information technology resources from unauthorized access, tampering, modification, communication, and/or theft.

POLICY STATEMENT

Owners of information technology resource assets are responsible for maintaining both the physical and logical security of the assets under their jurisdiction.

A Chief Security and Privacy Officer position will be created and maintained within the County to categorize security risks, promote county-wide security awareness, interpret local implementation of mandates for modifications of security practices, acquire technology to secure County facilities and information technology resources, establish detailed security procedures, audit compliance with established security policy and procedure, and construct, facilitate, and/or implement appropriate corrective actions to mitigate security risks and deficiencies.  The Chief Security and Privacy Officer shall have appropriate staff and affect good security management and practice both directly and through departmental Information Security Officers nominated by the individual Department Heads.  The departmental Information Security Officers shall not directly report to the Chief Security and Privacy Officer, but shall be responsible for coordinating departmental actions in support of County-wide security initiatives.

Buildings which house Monterey County information technology resources will be protected with physical security measures that prevent unauthorized persons from gaining access to the equipment.

All information communicated over Monterey County information technology resources that has not been specifically identified as the property of other parties will be treated as though it is a Monterey County enterprise asset.  It is the policy of Monterey County to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of this information.  In addition, it is the policy of Monterey County to protect information belonging to third parties--that has been entrusted to Monterey County in confidence--in the same manner as other intellectual property and copyrights, as well as in accordance with applicable contracts.

6.1 – Physical Security

A list of managers who are authorized to control and grant access to Monterey County facilities will be created and maintained.   To facilitate evacuation and to support investigations, Monterey County Departments must maintain records of the persons currently and previously inside the non-public areas their facilities. This information must be securely maintained for at least three (3) months.  Officer or employee access to non-public areas of facilities will be cancelled upon termination of an employment relationship with the County and all physical security access codes known by the worker will be deactivated or changed.

Access to every office, computer room, and work area containing sensitive information will be physically restricted.  Management responsible for the staff working in these areas must determine the appropriate access control method (receptionists, metal key locks, magnetic door locks, etc.).  Visitor access to offices, computer facilities, and other work areas containing sensitive information will be restricted and controlled by guards, receptionists, or other staff.   Whenever a worker notices an unescorted visitor inside a Monterey County restricted area, the visitor must be immediately questioned about the purpose for being in the restricted area and directly accompanied to the receptionist or the person they came to see.

Occupants of non-public areas of County facilities must wear an identification badge on the outer garments so that the information on the badge is clearly visible.  Workers who have forgotten their badges must obtain a temporary badge by providing a piece of picture identification (driver’s license, etc.). Such a temporary badge is valid for a single day only and must be turned in to the receptionist at the end of the workday.

All information storage media (such as hard disk drives, floppy disks, magnetic tapes, CD-ROMs, etc.) containing sensitive information must be physically secured when not in use.

The Chief Security and Privacy Officer will work with the County Departments to establish a process for maintaining physical security over microcomputer system equipment located in Monterey County facilities and offices which may involve check-in and check-out activities to help prevent theft of the equipment and any data stored thereon.  Computers, communications equipment, and related information systems equipment will not be removed from Monterey County Department premises unless approved by management.

All Monterey County network equipment must be physically secured with anti-theft devices if located in an open office environment.  Additional physical access controls may also be used for these devices.  For example, local area network servers must be placed in locked cabinets, locked closets, or locked computer rooms.  Computer equipment located in sales service offices must additionally be secured with anti-theft devices.

 

Access to information systems operations and networking staff offices, telephone wiring closets, computer machine rooms, network switching rooms, and other work areas containing "restricted" or "confidential" information must be physically restricted.  Management responsible for the staff working in these areas must consult the Chief Security and Privacy Officer to determine the appropriate access control method (receptionists, metal key locks, magnetic card door locks, etc.).

6.2 – Microcomputer Security

Monterey County microcomputers must only be used in a secure environment.  An environment is considered to be secure when appropriate controls have been established to protect the software, hardware, and data.  These controls must provide a measure of protection commensurate with the sensitivity of the data and the nature of anticipated risks.

An officer, employee, or contractor may be given permission to bring a "personally-owned" microcomputer or any of its component parts (including diskettes) into the workplace.  Use of such equipment with Monterey County information systems or data is permitted only after permission has been granted by a local Information Security Officer (ISO).

 

Users of Monterey County microcomputers must annually receive information security awareness training.

 

Microcomputer equipment should be physically protected to lessen the risks of theft, destruction, and/or misuse.  Suggested techniques to lessen these risks include housing the equipment in a locked room, physically locking the equipment to its workstation, or providing guard service or other physical security to protect the premises containing microcomputers.

 

Each piece of microcomputer equipment must be marked for identification and inventory control.  Inventory records of microcomputer equipment must be kept up-to-date.  The master inventory shall be maintained by the Department of Information Technology, with the assistance of the individual departments, in conformance with the adopted Information Technology Asset Management policies.

 

The loss or theft of any microcomputer hardware and/or software must be reported immediately to the local Information Security Officer (ISO). 

 

To prevent unauthorized access, users must configure their screen savers to blank the screen and require a password to resume whenever their workstations are unattended for more than 15 minutes.  If sensitive data resides on microcomputers, screen savers must be manually invoked whenever users leave these microcomputers.

 

Modems attached to microcomputers are not permitted unless previously approved by local department management.  Both inbound and outbound dial-up facilities are provided through LAN server based modem pools [these systems incorporate communications related access controls while microcomputers generally do not].

 

Microcomputer systems that handle sensitive data must employ an approved access control mechanism (e.g., software or hardware) to restrict access to authorized users.

 

Approved virus screening programs must be enabled on all microcomputers at all times.

If a virus detection program indicates that a virus has been discovered, the involved users must immediately notify the local Information Security Officer (ISO).  Users should  not attempt to eradicate a virus or otherwise use the affected machine(s) until trained personnel have addressed the problem. 

 

When a microcomputer is used as the primary machine supporting one or more production business applications, this machine must run an approved access control system that provides privilege control as well as change control.

 

Workers in the possession of portable, laptop, notebook, palmtop, and other transportable computers containing "restricted" or "confidential" Monterey County information must not leave these computers unattended at any time unless the information is stored in encrypted form. 

 

To prevent unauthorized disclosure, workers in the possession of transportable computers containing unencrypted "restricted" or "confidential" Monterey County information must not check these computers in airline luggage systems, with hotel porters, etc.  These computers must remain in the possession of the traveler at all times and be treated as hand luggage. 

 

Whenever "restricted" or "confidential" information is written to a floppy disk, magnetic tape, smart card, or other storage media, the storage media must be suitably marked with the highest relevant sensitivity classification.  When not in use, this media must be stored in a locked safe, locked furniture, or a similarly secured location.

6.3 – Data Security

Data security safeguards must be commensurate with the level of sensitivity of the data stored.  If sensitive data is stored on an information technology resource access controls must be in place to restrict each user's ability to read, write, create, delete, or modify sensitive data.  These privileges must be defined in a manner consistent with the need-to-know and be approved by the data owner.

 

All data stored on information technology resources must be periodically backed-up and stored off-site in a physically-secured location.  Production business applications primarily running on microcomputers must have an established and documented back-up procedure approved by local department management.

 

All copies of sensitive data stored on diskettes must be labeled "sensitive" and stored in a physically-secured location (whether off-site or in the office).  

 

Defective or damaged diskettes with sensitive data must be destroyed according to methods approved by the Chief Security and Privacy Officer and the Information Technology Department.

 

Sensitive data printed on hardcopy output must be shredded prior to disposal.

 

Sensitive data displayed on a microcomputer screen must be protected from unauthorized viewing via screen saver programs, access control programs, and the arrangement of office furniture.

 

Users may only download or upload data in accordance with approvals granted by local department management.

 

Data downloaded must be protected in the manner warranted by its sensitivity.

 

Monterey County data may not be removed from Monterey County offices or premises without the advance approval of local department management.  This policy is particularly relevant to those who use portable computers.

 

Sensitive data must be electronically erased before the media leaves Monterey County.  This can be accomplished on diskettes by reformatting the diskette.  On hard disks and LAN server drives the data can be "erased" by deleting the file.  [High-security environments will require more stringent controls such as zeroization.]

 

Sensitive data must be encrypted with the aid of approved encryption programs when stored on disks, tapes, or other media.  Sensitive data must also be encrypted when sent over public data communications systems such as the Internet.

 

Whenever possible, sensitive information should be removed from microcomputers and hard drives before they are sent out for repair.  If this is not possible, ensure that microcomputers and hard drives containing sensitive or confidential information are repaired only by vendors with whom a nondisclosure agreement has been executed.  Alternatively, microcomputers may be repaired on-site under the supervision of an authorized Monterey County employee or agent.

 

All workers who must keep "restricted" or "confidential" Monterey County information at their homes in order to do their work must utilize lockable furniture for the proper storage of this information.  At the time of separation from Monterey County any information stored at home must be immediately returned. 

 

"Restricted" or "confidential" information must not be down-loaded to remote locations--such as sales offices--unless proper physical security and encryption facilities are installed and faithfully observed.

6.4 – Password Protected Resources

Access to networks and other sensitive resources shall be authorized by the asset owners and require those with access to positively identify themselves as individuals with authorization via userids and passwords, as a minimum means of authentication.

 

Computer and communication system access control achieved via passwords must incorporate passwords which are unique to each individual user.  Access control to files, applications, databases, computers, networks, and other system resources via shared passwords (also called "group passwords") is prohibited.

 

Wherever systems software permits, the display and printing of passwords must be masked, suppressed, or otherwise obscured such that unauthorized parties will not be able to observe or subsequently recover them.

 

Wherever systems software permits, the initial passwords issued to a new user by a security administrator must be valid only for the new user's first on-line session.  At that time, the user must be forced to choose another password.  This same process applies to the resetting of passwords in the event that a user forgets a password.

 

All vendor-supplied default passwords must be changed before any computer or communications system is used for Monterey County business.  This policy applies to passwords associated with end-user user-IDs, as well as passwords associated with systems administrator and other privileged user-IDs.

 

In selecting passwords, users must choose passwords that are difficult-to-guess.  This means that passwords must NOT related to one's job or personal life.  For example, a car license plate number, a spouse's name, or fragments of an address must not be used.  This also means passwords must not be a word found in the dictionary or some other part of speech.  For example, proper names, places, technical terms, and slang must not be used.  Where such systems software facilities are available, users must be prevented from selecting easily-guessed passwords.

 

Users can choose easily-remembered passwords that are at the same time difficult for unauthorized parties to guess if they:

 

(a) String several words together (the resulting passwords are also known as "passphrases"),

(b) Shift a word up, down, left or right one row on the keyboard,

(c) Bump characters in a word a certain number of letters up or down the alphabet,

(d) Transform a regular word according to a specific method, such as making every other letter a number reflecting its position in the word,

(e) Combine punctuation or numbers with a regular word,

(f) Create acronyms from words in a song, a poem, or another known sequence of words,

(g) Deliberately misspell a word (but not a common misspelling), or

(h) Combine a number of personal facts like birth dates and favorite colors.

 

Users must not construct passwords that are identical or substantially similar to passwords they have previously employed.  Where systems software facilities are available, users must be prevented from reusing previous passwords. 

 

Users must not construct passwords using a basic sequence of characters that is then partially changed based on the date or some other predictable factor.  For example, users must NOT employ passwords like "X34JAN" in January, "X34FEB" in February, etc. 

 

Passwords must not be stored in readable form in batch files, automatic log-in scripts, software macros, terminal function keys, in computers without access control, or in other locations where unauthorized persons might discover them.

 

Passwords must not be written down and left in a place where unauthorized persons might discover them.  Aside from initial password assignment and password reset situations, if there is reason to believe that a password has been disclosed to someone other than the authorized user, the password must be immediately changed. 

 

Regardless of the circumstances, passwords must never be shared or revealed to anyone else besides the authorized user.  To do so exposes the authorized user to responsibility for actions that the other party takes with the disclosed password.  If users need to share computer resident data, they should use electronic mail, public directories on local area network servers, and other mechanisms.  This policy does not prevent the use of default passwords--typically used for new user-ID assignment or password reset situations--which are then immediately changed when the user next logs-onto the involved system.

 

To prevent password guessing attacks, where systems software permits, the number of consecutive attempts to enter an incorrect password must be strictly limited.  After three (3) unsuccessful attempts to enter a password, the involved user-ID must be either suspended until reset by a system administrator, or temporarily disabled for no less than three (3) minutes.  If dial-up or other external network connections are involved, the session must be disconnected. 

 

Whenever system security has been compromised, or even if there is a convincing reason to believe that it has been compromised, the involved system administrator must immediately: (a) reassign all relevant passwords, and (b) force every password on the involved system to be changed at the time of the next log-in.  If systems software does not provide the latter capability, a broadcast message must be sent to all users telling them to change their passwords. 

 

All passwords must be immediately changed if they are suspected of being disclosed, or known to have been disclosed to anyone besides the authorized user. 

 

6.5  Network Security

All computers permanently or intermittently connected to Monterey County networks must have, as a minimum, password access controls.  Multi-user systems must employ user-IDs and passwords unique to each user, as well as user privilege restriction mechanisms.  Network-connected single-user systems must employ hardware or software mechanisms that control system booting and that includes a no-activity screen blanker.

 

Whenever system security has been compromised, or even if there is a convincing reason to believe that it has been compromised, a trusted version of the operating system and all security-related software must be reloaded from trusted storage media such as CD-ROMs, magnetic tapes, or original source code floppy disks.  The involved system(s) must then be rebooted.  Similarly, all changes to user privileges taking effect since the time of suspected system compromise must be immediately reviewed by the systems administrator for unauthorized modifications.

 

All users must be positively identified prior to being able to use any multi-user computer or communications system resources.  Positive identification for internal Monterey County networks involves both a user-ID and a fixed password, both of which are unique to an individual user.

 

Positive identification for dial-up lines involves the use of hand-held tokens, cryptographic challenge/response, or other approved extended user authentication techniques.  The combination of a user-ID and a fixed password does not provide sufficient security for dial-up connections to Monterey County systems or networks.  Modems attached to network-connected workstations situated in Monterey County offices are forbidden because they do not provide adequate positive user identification.  Modems connected to isolated computers (such as portable computers and home computers) are permissible.

 

Positive identification for users originating external real-time connections to Monterey County systems or networks via value added networks (like BT Tymnet), public networks (like Internet), or any other external communications system must also involve extended user authentication techniques. 

 

Where systems software permits, every log-in banner on multi-user computers must include a special notice.  This notice must state: (1) the system is to be used only by authorized users, and (2) by continuing to use the system, the user represents that he/she is an authorized user.  

 

The log-in process for network-connected Monterey County computer systems must simply ask the user to log-in, providing prompts as needed.  Specific information about the organization, the computer operating system, the network configuration, or other internal matters must not be provided until a user has successfully provided both a valid user-ID and a valid password.

 

If there has been no activity on a computer terminal, workstation, or microcomputer for a certain period of time, the system must automatically blank the screen and suspend the session.  Re-establishment of the session must take place only after the user has provided a valid password.  The recommended period of time is fifteen (15 minutes).  An exception to this policy will be made in those cases where the immediate area surrounding a system is physically secured via cipherlocks, secured-room badge readers, or similar technology.

 

With the exception of electronic bulletin boards or other systems where all regular users are anonymous, users are prohibited from logging into any Monterey County system or network anonymously (for example, by using "guest" user-IDs).  If users employ systems facilities which allow them to change the active user-ID to gain certain privileges, they must have initially logged-in employing a user-ID that clearly indicates their identity.  On UNIX systems, this means that users must be prevented from initially logging-in as "root," but must instead first log-in employing their own user-ID.  If such users have been granted the ability to achieve superuser privileges, they may then "set userid" ("su") to gain "root" access.  Whatever the operating system, logs must record all such changes of current user-IDs. 

 

From time to time, the Director of Information Technology will designate individuals to audit compliance with this and other computer and network security policies.  At the same time, every worker must promptly report any suspected network security problem--including intrusions and out-of-compliance situations--to the Chief Security and Privacy Officer.

 

Computer viruses can spread quickly and need to be eradicated as soon as possible to limit serious damage to computers, networks, and Monterey County information.  Accordingly, provided no intention to damage Monterey County systems existed, if workers report a computer virus infestation immediately after it is noticed, even if their negligence was a contributing factor, no disciplinary action will be taken. 

 

All network or systems software malfunctions must be immediately reported to the Information Technology Department Customer Service Desk (Help Desk) and/or the involved external information system service provider.  Ignoring these malfunctions could lead to serious problems such as lost or damaged information as well as unavailable network services.

 

Every multi-user computer or communications system must include sufficient automated tools to assist the systems administrator in verifying the systems' security status.  These tools must include mechanisms for the recording, detection, and correction of commonly-encountered security problems. 

 

Whenever cost-justifiable, automated tools for handling common security problems must be used on Monterey County computers and networks.  For example, autodiscovery software (which automatically checks microcomputer software licenses via a local area network) must be used on a regular basis. 

 

To the extent that systems software permits, computer and communications systems handling sensitive, valuable, or critical Monterey County information must securely log all significant security relevant events.  Examples of security relevant events include: users switching user-IDs during an on-line session, attempts to guess passwords, attempts to use privileges that have not been authorized, modifications to production application software, modifications to system software, changes to user privileges, and changes to logging subsystems. 

 

Logs containing computer or communications system security relevant events must be retained for at least three (3) months.  During this period, logs must be secured such that they cannot be modified, and such that they can be read only by authorized persons.  These logs are important for error correction, security breach recovery, investigations, and related efforts.  The Information Technology Department will maintain the logs for access by the Departments.

 

To provide evidence for investigation, prosecution, and disciplinary actions, certain information must be captured whenever it is suspected that computer or network related crime or abuse has taken place.  The relevant information must be securely stored off-line until such time as it is determined that Monterey County will not pursue legal action or otherwise use the information.  The information to be immediately collected includes the system logs, application audit trails, other indications of the current system states, as well as copies of all potentially involved files. 

 

To allow proper remedial action to be taken in a timely manner, records reflecting security relevant events must be periodically reviewed in a timely manner by computer operations staff, information security staff, or systems administration staff.

 

Users must be put on notice about the specific acts that constitute computer and network security violations.  Users must also be informed that such violations will be logged. 

 

Although systems administrators are not required to promptly load the most recent version of operating systems, they are required to promptly apply all security patches to the operating system that have been released by either: (a) knowledgeable and trusted user groups, (b) well-known systems security authorities such as Carnegie Mellon University's Computer Emergency Response Team (aka CERT), and (c) the operating system vendor.  Only those systems security tools supplied by these sources or by commercial software firms may be used on Monterey County computers and networks. 

 

Information about security measures for Monterey County computer and communication systems is confidential and should not be released to people who are not authorized users of the involved systems unless the permission of the Director of Information Technology or the Chief Security and Privacy Officer has first been obtained.  For example, publishing  modem phone numbers or other system access information in directories is prohibited.  Nonetheless, release of Internet electronic mail addresses is permissible. 

 

6.6  System Privileges

The computer and communications system privileges of all users, systems, and independently-operating programs (such as "agents") must be restricted based on the need-to-know.  This means that privileges must not be extended unless a legitimate business-oriented need for such privileges exists. 

 

Default user file permissions must not automatically allow anyone on the system (on UNIX systems, the "world") to read, write, or execute a file.  Although users may reset permissions on a file-by-file basis, such permissive default file permissions are prohibited.  Nonetheless, default file permissions granted to limited groups of people who have a bone fide need-to-know are allowed.

 

Users with microcomputers (Macintoshes and IBM-PCs) are responsible for administering a screen saver program securing access to their machine's hard disk drive, and setting passwords for all applications and systems software that provide the capability.

 

Monterey County computer and communications systems must restrict access to the computers that users can reach over Monterey County networks. These restrictions can be implemented via routers, gateways, front-end telecommunications processors, and other network components.  These restrictions must be used to, for example, control "passthru"--where a user logging-into a certain computer then moves from that computer on to another. 

 

6.6.1 Process for Granting System Privileges

Requests for new user-IDs and changed privileges must be in writing and approved by the user's manager before a systems administrator fulfills these requests.  To help establish accountability for events on the related systems, documents (perhaps in electronic form) reflecting these requests must be retained for a period of at least a year. 

 

Individuals who are not Monterey County officers or employees must not be granted a user-ID or otherwise be given privileges to use Monterey County computers or communications systems unless the advance written approval of a department head has first been obtained.

 

Privileges granted to users who are not Monterey County officers or employees must be granted for periods of 90-days or less.  As needed, users who are not Monterey County officers or employees must have their privileges reauthorized by the sponsoring department head every 90 days. 

 

Special system privileges--such as the default ability to write to the files any other users--must be restricted to those directly responsible for systems administration and/or systems security.  An exception to this policy can be made only if a department head has approved the exception in writing.  For example, end-users must not be granted "root" privileges (or comparable access rights on non-UNIX platforms), unless they have first received specific written authorization from their department managers.  Similarly, configuration changes, operating system changes, and related activities that require "root" privileges must be performed by systems administrators, NOT end-users. 

 

Third party vendors must NOT be given dial-up privileges to Monterey County computers and/or networks unless the involved system administrator determines that they have a bone fide need.  These privileges must be enabled only for the time period required to accomplish the approved tasks (such as remote maintenance).  If a perpetual or long-term connection is required, then the connection must be established by approved extended user authentication methods (hand-held tokens, software-based challenge/response process, etc.).

 

All users wishing to use Monterey County internal networks, or multi-user systems that are connected to Monterey County internal networks, must sign a compliance statement prior to being issued a user-ID.  If a certain user already has a user-ID, a signature must be obtained prior to receiving a renewed user-ID.  The latter process must be performed periodically.  A signature on this compliance statement indicates the involved user understands and agrees to abide by Monterey County policies and procedures related to computers and networks (including the instructions contained in this document).

 

6.6.2  Process for Revoking System Access

All user-IDs must automatically have the associated privileges revoked after a certain period of inactivity.  The recommended period is thirty (30) days. 

 

If a computer or communication system access control subsystem is not functioning properly, it must default to denial of privileges to users.  If access control subsystems are malfunctioning, the systems they support must remain unavailable until such time as the problem has been rectified. 

 

Users must not test, or attempt to compromise computer or communication system security measures unless specifically approved in advance and in writing by the Chief Security and Privacy Officer.  Incidents involving unapproved system cracking (hacking), password cracking (guessing), file decryption, bootleg software copying, or similar unauthorized attempts to compromise security measures may be unlawful, and will be considered serious violations of Monterey County policy.  Customer requests that Monterey County security mechanisms be compromised must NOT be satisfied unless: (a) the Chief Security and Privacy Officer approves in advance, or (b) Monterey County is compelled to comply by law.  Likewise, short-cuts bypassing systems security measures, as well as pranks and practical jokes involving the compromise of systems security measures are absolutely prohibited.

 

The system privileges granted to users must be re-evaluated by management annually.  In response to feedback from management, systems administrators must promptly revoke all privileges no longer needed by users.

 

Management must promptly report all significant changes in worker duties or employment status to the system administrators responsible for user-IDs associated with the involved persons.  For all terminations, Human Resources must also issue a notice of status change to all system administrators who might be responsible for a system on which the involved worker might have a user-ID.  

 

6.6.3 Establishment of Access Paths

Changes to Monterey County internal networks include loading new software, changing network addresses, reconfiguring routers, adding dial-up lines, and the like.  With the exception of emergency situations, all changes to Monterey County computer networks must be: (a) documented in a work order request, and (b) approved in advance by the Information Technology Department except as explicitly delegated by the IT Department.  Emergency changes to Monterey County networks must only be made by persons who are authorized by the IT Department.  This process prevents unexpected changes from inadvertently leading to denial of service, unauthorized disclosure of information, and other problems.  This process applies not only to "workers" as defined in the Scope section of this policy, but also to vendor personnel.

 

Workers must NOT establish electronic bulletin boards, local area networks, modem connections to existing local area networks, or other multi-user systems for communicating information without the specific approval of the Director of the Information Technology Department.  Likewise, new types of real-time connections between two or more in-house computer systems must not be established unless such approval has first been obtained.  This policy helps to ensure that all Monterey County systems have the controls needed to protect other network-connected systems.  Security requirements for a network-connected system are not just a function of the connected system, they are also a function of all other Monterey County connected systems.

 

Participation in external networks as a provider of services that external parties rely upon is expressly prohibited unless explicitly permitted by the Director of Information Technology in writing.  Acting as an Internet node is an example of such participation.

 

All Monterey County computers that intermittently or continuously connect to an internal or external network must employ password-based access controls.  Multi-user computers must employ software which restricts access to the files of each user, which logs the activities of each user, and which has special privileges granted to a systems administrator.  Single-user systems must employ access control software that includes boot control and an automatic screen blanker that is invoked after a certain period of no keyboard (or other input device) activity.  Portable computers and home computers which contain Monterey County information are also covered by this policy, as are network devices such as gateways, routers, and bridges.

 

To stop unauthorized system access and related problems, all inter-processor commands from non-Monterey County locations are prohibited unless a user or process has first properly logged-in.  An example of such commands are remotely-initiated requests for a list of users currently logged-in.

 

Users initiating sessions via dial-up lines connected to Monterey County internal networks and/or multi-user computer systems must pass through an additional access control point (firewall) before users employing these lines can reach a log-in banner.  Although other forms of firewalls are possible, Monterey County now provides such access via dynamic passwords (specifically the hand-held token system).  Unless approved in advance by the Director of Information Technology, dial-up connections that do not go through approved firewalls in order to reach Monterey County internal-network connected systems are prohibited.  This policy applies to Internet inbound calls as well as Electronic Data Interchange (EDI). 

 

Remote maintenance ports for Monterey County computer and communication systems  must be disabled until the specific time as they are needed by the vendor.  These ports must then be again disabled immediately after use.  Alternatively, dial-up connections can be established with vendors via outbound calls initiated by Monterey County workers. No firewall access control is needed for either type of connection.

 

Portable phones using radio technology as well as cellular phones must not be used for data transmissions containing Monterey County "confidential" or "restricted" information unless the connection is encrypted.  Likewise, other broadcast networking technologies--such radio-based local area networks--must not be used for these types of Monterey County information unless the link is encrypted.  Such links may be used for electronic mail as long as the user understands that it contains no "confidential" or "restricted" information. 

 

6.7  Computer Viruses, Worms, and Trojan Horses

A computer virus is an unauthorized program that replicates itself, attaches itself to other programs, and spreads onto various data storage media (floppy disks, magnetic tapes, random access memory, etc.) and/or across a network.  The symptoms of virus infection include much slower computer response time, inexplicable loss of files, changed modification dates for files, increased file sizes, and total failure of computers. 

 

To assure continued uninterrupted service for both computers and networks, all microcomputer (Macintosh and IBM-PC) users must keep approved virus screening software enabled on their computers.  This screening software must be used to scan all software coming from either third parties or other Monterey County departments; the scanning must take place before the new software is executed.  Users may not bypass scanning processes that could arrest the transmission of computer viruses.

 

Although users are responsible for eradicating viruses from their systems whenever they have been detected, they must immediately call the Information Technology Department's "hot-line" whenever they believe that a system has been infected.  This will allow steps to promptly be taken to assure that no further infection takes place and that experts needed to eradicate the virus are promptly engaged.

 

To assist with the post-virus-infection restoration of microcomputer computing environments, all microcomputer software must be copied prior to its initial usage, and such copies must be stored in a safe place.  These master copies must not be used for ordinary business activities, but must be reserved for recovery from computer virus infections, hard disk crashes, and other computer problems.  These master copies must also be stored in a secure location. 

 

Larger systems do not generally suffer from viruses, but they do suffer from worms and Trojan horses.  Worms are much like viruses, but do not attach themselves to other programs.  Trojan horses are unauthorized programs hidden within authorized programs.  To prevent problems with viruses, worms, and Trojan horses, Monterey County computers and networks must not run software that comes from sources other than: (a) business partners, (b) knowledgeable and trusted user groups, (c) well-known systems security authorities such as Carnegie Mellon University's Computer Emergency Response Team (aka CERT), (d) computer or network vendors, or (e) commercial software vendors.  Software down-loaded from electronic bulletin boards, shareware, public domain software, and other software from untrusted sources must not be used unless it has first been subjected to a rigorous testing regimen approved by the Chief Security and Privacy Officer.

 

6.8  Encryption

When Monterey County "confidential" or "restricted" information is transmitted over any communication network, it must be sent in encrypted form.  Likewise, whenever Monterey County source code, or source code that has been entrusted to Monterey County by a business partner, is to be sent over a network, it too must be in encrypted form.

 

Similarly, whenever "confidential" or "restricted" information is not being actively used, it must be stored in encrypted form.   This means that when "confidential" or "restricted" information is stored or transported in computer-readable storage media (such as magnetic tapes or floppy disks), it must be in encrypted form.

 

Encryption of information at rest (in storage) or in transit (on a network) must be achieved via commercially-available products approved by the Information Technology Department.  The algorithm called the Data Encryption Standard (DES) is recommended, but because it is not exportable, secured international communications will often need to use other algorithms.

 

Whenever encryption is used, workers must not delete the sole readable version of the information unless they have first demonstrated that the decryption process is able to reestablish a readable version of the information. 

 

Encryption keys used for Monterey County information are always classified as "confidential" or "restricted" information.  Access to such keys must be strictly limited to those who have a need-to-know.  Unless the approval of the Chief Security and Privacy Officer is first obtained, encryption keys must not be revealed to consultants, contractors, temporaries, or third parties.  Likewise, encryption keys must always be encrypted when sent over a network.

 

Whenever such facilities are commercially available, Monterey County must employ automated rather than manual encryption key management processes for the protection of information on Monterey County networks.

 

6.9  Remote Printing

Printers must not be left unattended if "restricted" or "confidential" information is being printed or will soon be printed.  The persons attending the printer must be authorized to examine the information being printed.  Unattended printing is permitted if the area surrounding the printer is physically protected such that persons who are not authorized to see the material being printed may not enter. 

 

6.10  Right to Audit and Examine

Unless contractual agreements dictate otherwise, messages sent over Monterey County computer and communications systems are the property of Monterey County.  To properly protect and manage this property, management reserves the right to examine all data stored in or transmitted by these systems.  Since Monterey County's computer and communication systems must be used for business purposes only, workers should have no expectation of privacy associated with the information they store in or send through these systems. 

 

When providing computer networking services, Monterey County does not provide default message protection services such as encryption.  Accordingly, no responsibility is assumed for the disclosure of information sent over Monterey County's networks, and no assurances are made about the privacy of information handled by Monterey County internal networks.  In those instances where session encryption or other special controls are required, it is the user's responsibility to make sure that adequate security precautions have been taken.  Nothing in this paragraph should be construed to imply that Monterey County policy does not support the controls dictated by agreements with third parties (such as organizations which have entrusted Monterey County with confidential information). 

 

6.11  Exceptions

The Director of Information Technology acknowledges that under rare circumstances, certain workers will need to employ systems that are not compliant with these policies.  All such instances must be approved in writing and in advance by the Director of Information Technology and/or the Chief Security and Privacy Officer.

 

DEFINITIONS

 

Access control: A system to restrict the activities of users and processes based on the need-to-know.

 

Agents: A new type of software that performs special tasks on behalf of a user, such as searching multiple databases for designated information.

 

Algorithm: A mathematical process for performing a certain calculation; generally used to refer to the process for performing encryption.

 

Badge reader: A device which reads badges and interconnects with a physical access control system.

 

Booting: The process of initializing a computer system from a turned-off state.

 

Bridge: A device which interconnects networks or that otherwise allows networking circuits to be connected.

 

Cipherlock: A device that requires the entry of passwords at doors and which provides physical access control over a room or building.

 

Compliance statement: A document used to obtain a promise from a computer user that such user will abide by system policies and procedures.

 

Confidential information: A designation for information, the disclosure of which is expected to damage Monterey County or its business affiliates (see restricted information).

 

Critical information: Any information essential to Monterey County's business activities, the destruction, modification, or unavailability of which would cause serious disruption to Monterey County's business.

 

Cryptographic challenge/response: A process for identifying computer users involving the issuance of a random challenge to a remote workstation, which is then transformed using an encryption process and a response is returned to the connected computer system.

 

Data Security Classification - Monterey County data is classified into two basic categories:

 

(1) Nonsensitive - Data is classified as "nonsensitive" if unauthorized modification, destruction, loss, disclosure, or unavailability of the data is not expected to cause interruption, setback, or damage to Monterey County's business goals or reputation. 

 

(2) Sensitive - Data is classified as "sensitive" if unauthorized modification, destruction, loss, disclosure, or unavailability of the data would cause an interruption, setback, or damage to Monterey County's business goals or reputation. 

 

Default file permission: Access control file privileges (read, write, execute, etc.) granted to computer users without further involvement of either a security administrator or users.

 

Default password: An initial password issued when a new user-ID is issued, or an initial password provided by a computer vendor when hardware/software is first delivered.

 

Downloading - The transfer of data from a host computer (mainframe, minicomputer, network server, etc.) system to a connected workstation, such as a personal computer.

 

Dynamic password: A password which changes each time a user logs-into a computer system.

 

Encryption - A process involving data coding to achieve confidentiality, anonymity, time-stamping, and other security objectives.  The process of transforming computer-based readable data into an unintelligible form called "ciphertext."  Reversing the encryption process and transforming the ciphertext back into its original "plaintext" form is called decryption.  The encryption and decryption methods are designed so that only the desired recipient, with the appropriate key, may decrypt the ciphertext.

 

Encryption key: A secret password or bit string used to control the algorithm governing an encryption process.

 

End-user: A user who employs computers to support Monterey County business activities, who is acting as the source or destination of information flowing through a computer system.

 

Extended user authentication technique: Any of various processes used to bolster the user identification process achieved by user-IDs and fixed passwords (see hand-held tokens and dynamic passwords).

 

Firewall: A logical barrier stopping computer users or processes from going beyond a certain point in a network unless these users or processes have first passed some security check (such as providing a password).

 

Front-end telecommunications processor: A small computer used to handle communications interfacing (polling, multiplexing, error detection, etc.) for another computer. 

 

Gateway: A computer system used to link networks which can restrict the flow of information and which employs some access control method.

 

Information retention schedule: A formal listing of the types of information that must be retained for archival purposes and the timeframes that these types of information must be kept. 

 

Isolated computer: A computer which is not connected to a network or any other computer; a stand-alone personal computer is an example.

 

Log-in banner: The initial message presented to a user when he or she first makes connection with a computer.

 

Log-in script: A set of stored commands which can log a user into a computer automatically.

 

Master copies of software: Copies of software which are retained in an archive and which are not used for normal business activities.

 

Microcomputer - A general purpose or portable (including laptop) computer consisting of one or more microprocessors assembled in a unit that will fit on top of a desk.  The unit typically consists of a central processing unit (CPU), video display, keyboard, disk drive, and a number of peripheral devices such as a printer and CD-ROM drive.  The terms "microcomputer" and "personal computer" (PC) are considered synonymous and may be used interchangeably in this document.

 

Multi-user computer system: Any computer that can support more than one user simultaneously.

 

Owner - The principal user representative who has been charged with responsibility for a particular application system or data collection (for example a database).  The Owner is the focal point for all user activity with respect to the application or data collection in question, including the specification of security requirements and related access control restrictions. 

 

Password guessing attack: A computerized or manual process whereby various possible passwords are provided to a computer in an effort to gain unauthorized access.

 

Password reset: The assignment of another (temporary) password when a user forgets or loses his/her password.

 

Password-based access control: Software which relies on passwords as the primary mechanism to control system privileges.

 

Password: Any secret string of characters used to positively identify a computer user or process.

 

Positive identification: The process of definitively establishing the identity of a computer user.

 

Privilege: An authorized ability to perform a certain action on a computer, such as read a specific computer file.

 

Privileged user-ID: A user-ID which has been granted the ability to perform special activities, such as shut down a multi-user system.

 

Restricted information: Particularly sensitive information, the disclosure of which is expected to severely damage Monterey County or its business affiliates (see confidential information).

 

Router: A device that interconnects networks using different layers of the Open Systems Interconnection (OSI) Reference Model.

 

Screen blanker: See screen saver.

 

Screen saver: A computer program that automatically blanks the screen of a computer monitor or CRT after a certain period of no activity.

 

Hand-held token: A commercial dynamic password system which employs a smart card to generate one-time passwords that are different for each session.

 

Security patch: A software program used to remedy a security or other problem (commonly applied to operating systems).

 

Sensitive information: Any information, the disclosure of which could damage Monterey County or its business associates.

 

Shared password: A password known by and/or used by more than one individual.

 

Software macro: A computer program containing a set of procedural commands to achieve a certain result.

 

Special system privilege: Access system privileges allowing the involved user or process to perform activities which are not normally granted to other users.

 

Suspending a user-ID: The process of revoking the privileges associated with a user-ID.

 

Systems administrator: A designated individual who has special privileges on a multi-user computer system, and who looks after security and other administrative matters.

 

Terminal function keys: Special keys on a keyboard that can be defined to perform certain activities such as save a file.

 

Uploading ‑ The transfer of data from a connected device, such as a personal computer, to a host system (mainframe, minicomputer, etc.).

 

User-IDs: Also known as accounts, these are character strings that uniquely identify computer users or computer processes.

 

Valuable information: Information of significant financial value to Monterey County or another party.

 

Verify security status: The process by which controls are shown to be both properly installed and properly operating.

 

Virus - A parasitic software program, equipped with the means of reproducing itself, that spreads throughout a computer or network by attaching itself or infecting other software or diskettes.  A worm is a similar program that propagates across a network by making copies of itself.

 

Virus screening software: Commerically-available software that searches for certain bit patterns or other evidence of computer virus infection.

 

 

ROLES AND RESPONSIBILITIES

 

Information Technology Steering Committee - at quarterly and ad hoc meetings, this committee will: (a) periodically review the status of Monterey County's computer and network security, (b) as needed, review and monitor remedial work related to computer and network security incidents, (c) authorize and later judge the results of major projects dealing with computer and network security, (d) approve new or modified information security policies, standards, guidelines, and procedures, and (e) perform other high-level information security management activities.

 

Director of Information Technology  - establish and maintain organization-wide information systems security policies.  Periodically designate individuals to audit compliance with computer and network security policies 

 

Department of Information Technology - establish security standards and provide technical guidance on security to all Monterey County employee groups.  Organize a computer emergency response team (CERT) to respond to virus infestations, hacker intrusions, and similar events. Review proposals for electronic bulletin boards, local area networks, modem connections to existing local area networks, or other multi-user systems for communicating information for appropriateness under adopted policies.  Review Monterey County participation in external networks, or as a provider of services that external parties rely on, for appropriateness under adopted policies.

 

Chief Security and Privacy Officer  - implement, administer, and interpret organization-wide information systems security policies.  Establish and maintain security standards, guidelines, and procedures in support of adopted policy.  While responsibility for information systems security on a day-to-day basis is every worker's duty, specific guidance, direction, and authority for information systems security is centralized for all of Monterey County and its subsidiaries in the Chief Security and Privacy Officer.  Accordingly, this person and subordinates will perform information systems risk assessments, prepare information systems security action plans, evaluate information security products, and perform other activities necessary to assure a secure information systems environment.  Coordinate individual department security activities through the local Information Security Officers.

 

Local Information Security Officers (ISOs) - monitor local compliance with security requirements, including hardware, software, and data safeguards.  ISOs must ensure that their division or office is in compliance with security policy established in this document.  ISOs must also provide administrative support and technical guidance to management on matters related to microcomputer security.

 

Information Technology Asset Owners – periodically conduct a risk assessment of each asset for which they are responsible to determine both risks and vulnerabilities.  Ensure appropriate security measures are implemented on these systems in a manner consistent with the level of information sensitivity stored and communicated over these assets.  Maintain information and resource access controls.  Ensure the sensitivity of data is defined and designated on these systems in a manner consistent with in-house sensitivity classifications.

 

Department Managers and Supervisors – ensure that employees under their supervision implement security measures as defined in this document and as appropriate to data sensitivity classifications.  Nominate local Information Security Officers to liaise with the Chief Security and Privacy Officer.  Inform employees under their supervision of security issues and promote security awareness.  Enforce compliance with the policies and procedures outlined in all Monterey County documents that address information security.  Conduct pre-exit security clearance processes upon termination of employment of officers or employees or fulfillment of contractual agreements.

 

County Officers and employees - know and apply the appropriate Monterey County policies and practices pertaining to sensitive information and computer systems security. Prohibit unauthorized individuals from obtaining access to Monterey County information technology resources.  Not use or permit the use of any unauthorized devices.  Maintain exclusive control over and use of his/her password, and protect it from inadvertent disclosure to others.  Select a password that bears no obvious relation to the user, the user's organizational group, or the user's work project, and that is not easy to guess. Ensure that data under his/her control and/or direction is properly safeguarded according to its level of sensitivity.  Report to his/her supervisor or local Information Security Officer any incident that appears to compromise the security of Monterey County information resources.  These include missing data, virus infestations, and unexplained transactions.   Access only the data and automated functions for which he/she is authorized in the course of normal business activity.  Obtain supervisor authorization for any uploading or downloading of information to or from Monterey County multi-user information systems if this activity is outside the scope of normal business activities.