|Information Technology Policies|
|Subject:||Information Technology Security Policy|
|Date Issued:||September 10, 2002|
|Issued by:||Director of Information Technology, as recommended by the Department Head Information Technology Steering Committee|
|Applies to:||All Officers and employees|
To establish the roles, responsibilities, and guidelines to protect and secure County information technology resources from unauthorized access, tampering, modification, communication, and/or theft.
Owners of information technology resource assets are responsible for maintaining both the physical and logical security of the assets under their jurisdiction.
A Chief Security and Privacy Officer position will be created and maintained within the County to categorize security risks, promote county-wide security awareness, interpret local implementation of mandates for modifications of security practices, acquire technology to secure County facilities and information technology resources, establish detailed security procedures, audit compliance with established security policy and procedure, and construct, facilitate, and/or implement appropriate corrective actions to mitigate security risks and deficiencies. The Chief Security and Privacy Officer shall have appropriate staff and affect good security management and practice both directly and through departmental Information Security Officers nominated by the individual Department Heads. The departmental Information Security Officers shall not directly report to the Chief Security and Privacy Officer, but shall be responsible for coordinating departmental actions in support of County-wide security initiatives.
Buildings which house Monterey County information technology resources will be protected with physical security measures that prevent unauthorized persons from gaining access to the equipment.
All information communicated over Monterey County information technology resources that has not been specifically identified as the property of other parties will be treated as though it is a Monterey County enterprise asset. It is the policy of Monterey County to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of this information. In addition, it is the policy of Monterey County to protect information belonging to third parties--that has been entrusted to Monterey County in confidence--in the same manner as other intellectual property and copyrights, as well as in accordance with applicable contracts.
6.1 – Physical Security
A list of managers who are authorized to control and grant access to Monterey County facilities will be created and maintained. To facilitate evacuation and to support investigations, Monterey County Departments must maintain records of the persons currently and previously inside the non-public areas their facilities. This information must be securely maintained for at least three (3) months. Officer or employee access to non-public areas of facilities will be cancelled upon termination of an employment relationship with the County and all physical security access codes known by the worker will be deactivated or changed.
Access to every office, computer room, and work area containing sensitive information will be physically restricted. Management responsible for the staff working in these areas must determine the appropriate access control method (receptionists, metal key locks, magnetic door locks, etc.). Visitor access to offices, computer facilities, and other work areas containing sensitive information will be restricted and controlled by guards, receptionists, or other staff. Whenever a worker notices an unescorted visitor inside a Monterey County restricted area, the visitor must be immediately questioned about the purpose for being in the restricted area and directly accompanied to the receptionist or the person they came to see.
Occupants of non-public areas of County facilities must wear an identification badge on the outer garments so that the information on the badge is clearly visible. Workers who have forgotten their badges must obtain a temporary badge by providing a piece of picture identification (driver’s license, etc.). Such a temporary badge is valid for a single day only and must be turned in to the receptionist at the end of the workday.
All information storage media (such as hard disk drives, floppy disks, magnetic tapes, CD-ROMs, etc.) containing sensitive information must be physically secured when not in use.
The Chief Security and Privacy Officer will work with the County Departments to establish a process for maintaining physical security over microcomputer system equipment located in Monterey County facilities and offices which may involve check-in and check-out activities to help prevent theft of the equipment and any data stored thereon. Computers, communications equipment, and related information systems equipment will not be removed from Monterey County Department premises unless approved by management.
All Monterey County network equipment must be physically
secured with anti-theft devices if located in an open office environment.
Additional physical access controls may also be used for these devices.
For example, local area network servers must be placed in locked
cabinets, locked closets, or locked computer rooms.
Computer equipment located in sales service offices must additionally be
secured with anti-theft devices.
Access to information systems operations and networking staff offices, telephone wiring closets, computer machine rooms, network switching rooms, and other work areas containing "restricted" or "confidential" information must be physically restricted. Management responsible for the staff working in these areas must consult the Chief Security and Privacy Officer to determine the appropriate access control method (receptionists, metal key locks, magnetic card door locks, etc.).
6.2 – Microcomputer Security
Monterey County microcomputers must only be used in a
secure environment. An environment
is considered to be secure when appropriate controls have been established to
protect the software, hardware, and data. These
controls must provide a measure of protection commensurate with the sensitivity
of the data and the nature of anticipated risks.
An officer, employee, or contractor may be given
permission to bring a "personally-owned" microcomputer or any of its
component parts (including diskettes) into the workplace. Use of such equipment with Monterey County information
systems or data is permitted only after permission has been granted by a local
Information Security Officer (ISO).
Users of Monterey County microcomputers must annually
receive information security awareness training.
Microcomputer equipment should be physically protected to
lessen the risks of theft, destruction, and/or misuse. Suggested techniques to lessen these risks include housing
the equipment in a locked room, physically locking the equipment to its
workstation, or providing guard service or other physical security to protect
the premises containing microcomputers.
Each piece of microcomputer equipment must be marked for identification and inventory control. Inventory records of microcomputer equipment must be kept up-to-date. The master inventory shall be maintained by the Department of Information Technology, with the assistance of the individual departments, in conformance with the adopted Information Technology Asset Management policies.
The loss or theft of any microcomputer hardware and/or
software must be reported immediately to the local Information Security Officer
To prevent unauthorized access, users must configure
their screen savers to blank the screen and require a password to resume
whenever their workstations are unattended for more than 15 minutes. If sensitive data resides on microcomputers, screen savers
must be manually invoked whenever users leave these microcomputers.
Modems attached to microcomputers are not permitted
unless previously approved by local department management. Both inbound and outbound dial-up facilities are provided
through LAN server based modem pools [these systems incorporate communications
related access controls while microcomputers generally do not].
Microcomputer systems that handle sensitive data must
employ an approved access control mechanism (e.g., software or hardware) to
restrict access to authorized users.
Approved virus screening programs must be enabled on all
microcomputers at all times.
If a virus detection program indicates that a virus has
been discovered, the involved users must immediately notify the local
Information Security Officer (ISO). Users
should not attempt to eradicate a
virus or otherwise use the affected machine(s) until trained personnel have
addressed the problem.
When a microcomputer is used as the primary machine
supporting one or more production business applications, this machine must run
an approved access control system that provides privilege control as well as
Workers in the possession of portable, laptop, notebook,
palmtop, and other transportable computers containing "restricted" or
"confidential" Monterey County information must not leave these
computers unattended at any time unless the information is stored in encrypted
To prevent unauthorized disclosure, workers in the
possession of transportable computers containing unencrypted
"restricted" or "confidential" Monterey County information
must not check these computers in airline luggage systems, with hotel porters,
etc. These computers must remain in
the possession of the traveler at all times and be treated as hand luggage.
Whenever "restricted" or "confidential" information is written to a floppy disk, magnetic tape, smart card, or other storage media, the storage media must be suitably marked with the highest relevant sensitivity classification. When not in use, this media must be stored in a locked safe, locked furniture, or a similarly secured location.
6.3 – Data Security
Data security safeguards must be commensurate with the
level of sensitivity of the data stored. If
sensitive data is stored on an information technology resource access controls
must be in place to restrict each user's ability to read, write, create, delete,
or modify sensitive data. These
privileges must be defined in a manner consistent with the need-to-know and be
approved by the data owner.
All data stored on information technology resources must
be periodically backed-up and stored off-site in a physically-secured location.
Production business applications primarily running on microcomputers must
have an established and documented back-up procedure approved by local
All copies of sensitive data stored on diskettes must be
labeled "sensitive" and stored in a physically-secured location
(whether off-site or in the office).
Defective or damaged diskettes with sensitive data must
be destroyed according to methods approved by the Chief Security and Privacy
Officer and the Information Technology Department.
Sensitive data printed on hardcopy output must be
shredded prior to disposal.
Sensitive data displayed on a microcomputer screen must
be protected from unauthorized viewing via screen saver programs, access control
programs, and the arrangement of office furniture.
Users may only download or upload data in accordance with
approvals granted by local department management.
Data downloaded must be protected in the manner warranted
by its sensitivity.
Monterey County data may not be removed from Monterey
County offices or premises without the advance approval of local department
management. This policy is
particularly relevant to those who use portable computers.
Sensitive data must be electronically erased before the
media leaves Monterey County. This
can be accomplished on diskettes by reformatting the diskette.
On hard disks and LAN server drives the data can be "erased" by
deleting the file. [High-security environments will require more stringent
controls such as zeroization.]
Sensitive data must be encrypted with the aid of approved
encryption programs when stored on disks, tapes, or other media. Sensitive data must also be encrypted when sent over public
data communications systems such as the Internet.
Whenever possible, sensitive information should be
removed from microcomputers and hard drives before they are sent out for repair.
If this is not possible, ensure that microcomputers and hard drives
containing sensitive or confidential information are repaired only by vendors
with whom a nondisclosure agreement has been executed.
Alternatively, microcomputers may be repaired on-site under the
supervision of an authorized Monterey County employee or agent.
All workers who must keep "restricted" or
"confidential" Monterey County information at their homes in order to
do their work must utilize lockable furniture for the proper storage of this
information. At the time of
separation from Monterey County any information stored at home must be
"Restricted" or "confidential" information must not be down-loaded to remote locations--such as sales offices--unless proper physical security and encryption facilities are installed and faithfully observed.
6.4 – Password Protected Resources
Access to networks and other sensitive resources shall be
authorized by the asset owners and require those with access to positively
identify themselves as individuals with authorization via userids and passwords,
as a minimum means of authentication.
Computer and communication system access control achieved
via passwords must incorporate passwords which are unique to each individual
user. Access control to files,
applications, databases, computers, networks, and other system resources via
shared passwords (also called "group passwords") is prohibited.
Wherever systems software permits, the display and
printing of passwords must be masked, suppressed, or otherwise obscured such
that unauthorized parties will not be able to observe or subsequently recover
Wherever systems software permits, the initial passwords
issued to a new user by a security administrator must be valid only for the new
user's first on-line session. At
that time, the user must be forced to choose another password. This same process applies to the resetting of passwords in
the event that a user forgets a password.
All vendor-supplied default passwords must be changed
before any computer or communications system is used for Monterey County
business. This policy applies to
passwords associated with end-user user-IDs, as well as passwords associated
with systems administrator and other privileged user-IDs.
In selecting passwords, users must choose passwords that
are difficult-to-guess. This means
that passwords must NOT related to one's job or personal life.
For example, a car license plate number, a spouse's name, or fragments of
an address must not be used. This
also means passwords must not be a word found in the dictionary or some other
part of speech. For example, proper names, places, technical terms, and slang
must not be used. Where such
systems software facilities are available, users must be prevented from
selecting easily-guessed passwords.
Users can choose easily-remembered passwords that are at
the same time difficult for unauthorized parties to guess if they:
(a) String several words together (the resulting
passwords are also known as "passphrases"),
(b) Shift a word up, down, left or right one row on the
(c) Bump characters in a word a certain number of letters
up or down the alphabet,
(d) Transform a regular word according to a specific
method, such as making every other letter a number reflecting its position in
(e) Combine punctuation or numbers with a regular word,
(f) Create acronyms from words in a song, a poem, or
another known sequence of words,
(g) Deliberately misspell a word (but not a common
(h) Combine a number of personal facts like birth dates
and favorite colors.
Users must not construct passwords that are identical or
substantially similar to passwords they have previously employed.
Where systems software facilities are available, users must be prevented
from reusing previous passwords.
Users must not construct passwords using a basic sequence
of characters that is then partially changed based on the date or some other
predictable factor. For example,
users must NOT employ passwords like "X34JAN" in January,
"X34FEB" in February, etc.
Passwords must not be stored in readable form in batch
files, automatic log-in scripts, software macros, terminal function keys, in
computers without access control, or in other locations where unauthorized
persons might discover them.
Passwords must not be written down and left in a place
where unauthorized persons might discover them.
Aside from initial password assignment and password reset situations, if
there is reason to believe that a password has been disclosed to someone other
than the authorized user, the password must be immediately changed.
Regardless of the circumstances, passwords must never be
shared or revealed to anyone else besides the authorized user. To do so exposes the authorized user to responsibility for
actions that the other party takes with the disclosed password.
If users need to share computer resident data, they should use electronic
mail, public directories on local area network servers, and other mechanisms.
This policy does not prevent the use of default passwords--typically used
for new user-ID assignment or password reset situations--which are then
immediately changed when the user next logs-onto the involved system.
To prevent password guessing attacks, where systems
software permits, the number of consecutive attempts to enter an incorrect
password must be strictly limited. After
three (3) unsuccessful attempts to enter a password, the involved user-ID must
be either suspended until reset by a system administrator, or temporarily
disabled for no less than three (3) minutes.
If dial-up or other external network connections are involved, the
session must be disconnected.
Whenever system security has been compromised, or even if
there is a convincing reason to believe that it has been compromised, the
involved system administrator must immediately: (a) reassign all relevant
passwords, and (b) force every password on the involved system to be changed at
the time of the next log-in. If
systems software does not provide the latter capability, a broadcast message
must be sent to all users telling them to change their passwords.
All passwords must be immediately changed if they are
suspected of being disclosed, or known to have been disclosed to anyone besides
the authorized user.
6.5 Network Security
All computers permanently or intermittently connected to
Monterey County networks must have, as a minimum, password access controls.
Multi-user systems must employ user-IDs and passwords unique to each
user, as well as user privilege restriction mechanisms.
Network-connected single-user systems must employ hardware or software
mechanisms that control system booting and that includes a no-activity screen
Whenever system security has been compromised, or even if
there is a convincing reason to believe that it has been compromised, a trusted
version of the operating system and all security-related software must be
reloaded from trusted storage media such as CD-ROMs, magnetic tapes, or original
source code floppy disks. The
involved system(s) must then be rebooted. Similarly,
all changes to user privileges taking effect since the time of suspected system
compromise must be immediately reviewed by the systems administrator for
All users must be positively identified prior to being
able to use any multi-user computer or communications system resources.
Positive identification for internal Monterey County networks involves
both a user-ID and a fixed password, both of which are unique to an individual
Positive identification for dial-up lines involves the use of hand-held tokens, cryptographic challenge/response, or other approved extended user authentication techniques. The combination of a user-ID and a fixed password does not provide sufficient security for dial-up connections to Monterey County systems or networks. Modems attached to network-connected workstations situated in Monterey County offices are forbidden because they do not provide adequate positive user identification. Modems connected to isolated computers (such as portable computers and home computers) are permissible.
Positive identification for users originating external
real-time connections to Monterey County systems or networks via value added
networks (like BT Tymnet), public networks (like Internet), or any other
external communications system must also involve extended user authentication
Where systems software permits, every log-in banner on
multi-user computers must include a special notice.
This notice must state: (1) the system is to be used only by authorized
users, and (2) by continuing to use the system, the user represents that he/she
is an authorized user.
The log-in process for network-connected Monterey County
computer systems must simply ask the user to log-in, providing prompts as
needed. Specific information about
the organization, the computer operating system, the network configuration, or
other internal matters must not be provided until a user has successfully
provided both a valid user-ID and a valid password.
If there has been no activity on a computer terminal,
workstation, or microcomputer for a certain period of time, the system must
automatically blank the screen and suspend the session.
Re-establishment of the session must take place only after the user has
provided a valid password. The
recommended period of time is fifteen (15 minutes). An exception to this policy will be made in those cases where
the immediate area surrounding a system is physically secured via cipherlocks,
secured-room badge readers, or similar technology.
With the exception of electronic bulletin boards or other
systems where all regular users are anonymous, users are prohibited from logging
into any Monterey County system or network anonymously (for example, by using
"guest" user-IDs). If
users employ systems facilities which allow them to change the active user-ID to
gain certain privileges, they must have initially logged-in employing a user-ID
that clearly indicates their identity. On
UNIX systems, this means that users must be prevented from initially logging-in
as "root," but must instead first log-in employing their own user-ID.
If such users have been granted the ability to achieve superuser
privileges, they may then "set userid" ("su") to gain
"root" access. Whatever
the operating system, logs must record all such changes of current user-IDs.
From time to time, the Director of Information Technology
will designate individuals to audit compliance with this and other computer and
network security policies. At the
same time, every worker must promptly report any suspected network security
problem--including intrusions and out-of-compliance situations--to the Chief
Security and Privacy Officer.
Computer viruses can spread quickly and need to be
eradicated as soon as possible to limit serious damage to computers, networks,
and Monterey County information. Accordingly,
provided no intention to damage Monterey County systems existed, if workers
report a computer virus infestation immediately after it is noticed, even if
their negligence was a contributing factor, no disciplinary action will be
All network or systems software malfunctions must be
immediately reported to the Information Technology Department Customer Service
Desk (Help Desk) and/or the involved external information system service
provider. Ignoring these
malfunctions could lead to serious problems such as lost or damaged information
as well as unavailable network services.
Every multi-user computer or communications system must
include sufficient automated tools to assist the systems administrator in
verifying the systems' security status. These
tools must include mechanisms for the recording, detection, and correction of
commonly-encountered security problems.
Whenever cost-justifiable, automated tools for handling
common security problems must be used on Monterey County computers and networks.
For example, autodiscovery software (which automatically checks
microcomputer software licenses via a local area network) must be used on a
To the extent that systems software permits, computer and
communications systems handling sensitive, valuable, or critical Monterey County
information must securely log all significant security relevant events.
Examples of security relevant events include: users switching user-IDs
during an on-line session, attempts to guess passwords, attempts to use
privileges that have not been authorized, modifications to production
application software, modifications to system software, changes to user
privileges, and changes to logging subsystems.
Logs containing computer or communications system
security relevant events must be retained for at least three (3) months.
During this period, logs must be secured such that they cannot be
modified, and such that they can be read only by authorized persons.
These logs are important for error correction, security breach recovery,
investigations, and related efforts. The
Information Technology Department will maintain the logs for access by the
To provide evidence for investigation, prosecution, and
disciplinary actions, certain information must be captured whenever it is
suspected that computer or network related crime or abuse has taken place.
The relevant information must be securely stored off-line until such time
as it is determined that Monterey County will not pursue legal action or
otherwise use the information. The
information to be immediately collected includes the system logs, application
audit trails, other indications of the current system states, as well as copies
of all potentially involved files.
To allow proper remedial action to be taken in a timely
manner, records reflecting security relevant events must be periodically
reviewed in a timely manner by computer operations staff, information security
staff, or systems administration staff.
Users must be put on notice about the specific acts that
constitute computer and network security violations. Users must also be informed that such violations will be
Although systems administrators are not required to
promptly load the most recent version of operating systems, they are required to
promptly apply all security patches to the operating system that have been
released by either: (a) knowledgeable and trusted user groups, (b) well-known
systems security authorities such as Carnegie Mellon University's Computer
Emergency Response Team (aka CERT), and (c) the operating system vendor.
Only those systems security tools supplied by these sources or by
commercial software firms may be used on Monterey County computers and networks.
Information about security measures for Monterey County
computer and communication systems is confidential and should not be released to
people who are not authorized users of the involved systems unless the
permission of the Director of Information Technology or the Chief Security and
Privacy Officer has first been obtained. For
example, publishing modem phone
numbers or other system access information in directories is prohibited.
Nonetheless, release of Internet electronic mail addresses is
6.6 System Privileges
The computer and communications system privileges of all
users, systems, and independently-operating programs (such as
"agents") must be restricted based on the need-to-know.
This means that privileges must not be extended unless a legitimate
business-oriented need for such privileges exists.
Default user file permissions must not automatically
allow anyone on the system (on UNIX systems, the "world") to read,
write, or execute a file. Although
users may reset permissions on a file-by-file basis, such permissive default
file permissions are prohibited. Nonetheless,
default file permissions granted to limited groups of people who have a bone
fide need-to-know are allowed.
Users with microcomputers (Macintoshes and IBM-PCs) are
responsible for administering a screen saver program securing access to their
machine's hard disk drive, and setting passwords for all applications and
systems software that provide the capability.
Monterey County computer and communications systems must
restrict access to the computers that users can reach over Monterey County
networks. These restrictions can be implemented via routers, gateways, front-end
telecommunications processors, and other network components.
These restrictions must be used to, for example, control "passthru"--where
a user logging-into a certain computer then moves from that computer on to
6.6.1 Process for Granting System Privileges
Requests for new user-IDs and changed privileges must be
in writing and approved by the user's manager before a systems administrator
fulfills these requests. To help
establish accountability for events on the related systems, documents (perhaps
in electronic form) reflecting these requests must be retained for a period of
at least a year.
Individuals who are not Monterey County officers or
employees must not be granted a user-ID or otherwise be given privileges to use
Monterey County computers or communications systems unless the advance written
approval of a department head has first been obtained.
Privileges granted to users who are not Monterey County
officers or employees must be granted for periods of 90-days or less.
As needed, users who are not Monterey County officers or employees must
have their privileges reauthorized by the sponsoring department head every 90
Special system privileges--such as the default ability to
write to the files any other users--must be restricted to those directly
responsible for systems administration and/or systems security. An exception to this policy can be made only if a department
head has approved the exception in writing.
For example, end-users must not be granted "root" privileges
(or comparable access rights on non-UNIX platforms), unless they have first
received specific written authorization from their department managers.
Similarly, configuration changes, operating system changes, and related
activities that require "root" privileges must be performed by systems
administrators, NOT end-users.
Third party vendors must NOT be given dial-up privileges
to Monterey County computers and/or networks unless the involved system
administrator determines that they have a bone fide need.
These privileges must be enabled only for the time period required to
accomplish the approved tasks (such as remote maintenance).
If a perpetual or long-term connection is required, then the connection
must be established by approved extended user authentication methods (hand-held
tokens, software-based challenge/response process, etc.).
All users wishing to use Monterey County internal
networks, or multi-user systems that are connected to Monterey County internal
networks, must sign a compliance statement prior to being issued a user-ID.
If a certain user already has a user-ID, a signature must be obtained
prior to receiving a renewed user-ID. The
latter process must be performed periodically.
A signature on this compliance statement indicates the involved user
understands and agrees to abide by Monterey County policies and procedures
related to computers and networks (including the instructions contained in this
6.6.2 Process for Revoking System Access
All user-IDs must automatically have the associated
privileges revoked after a certain period of inactivity.
The recommended period is thirty (30) days.
If a computer or communication system access control
subsystem is not functioning properly, it must default to denial of privileges
to users. If access control
subsystems are malfunctioning, the systems they support must remain unavailable
until such time as the problem has been rectified.
Users must not test, or attempt to compromise computer or
communication system security measures unless specifically approved in advance
and in writing by the Chief Security and Privacy Officer.
Incidents involving unapproved system cracking (hacking), password
cracking (guessing), file decryption, bootleg software copying, or similar
unauthorized attempts to compromise security measures may be unlawful, and will
be considered serious violations of Monterey County policy.
Customer requests that Monterey County security mechanisms be compromised
must NOT be satisfied unless: (a) the Chief Security and Privacy Officer
approves in advance, or (b) Monterey County is compelled to comply by law.
Likewise, short-cuts bypassing systems security measures, as well as
pranks and practical jokes involving the compromise of systems security measures
are absolutely prohibited.
The system privileges granted to users must be
re-evaluated by management annually. In
response to feedback from management, systems administrators must promptly
revoke all privileges no longer needed by users.
Management must promptly report all significant changes
in worker duties or employment status to the system administrators responsible
for user-IDs associated with the involved persons.
For all terminations, Human Resources must also issue a notice of status
change to all system administrators who might be responsible for a system on
which the involved worker might have a user-ID.
6.6.3 Establishment of Access Paths
Changes to Monterey County internal networks include
loading new software, changing network addresses, reconfiguring routers, adding
dial-up lines, and the like. With
the exception of emergency situations, all changes to Monterey County computer
networks must be: (a) documented in a work order request, and (b) approved in
advance by the Information Technology Department except as explicitly delegated
by the IT Department. Emergency
changes to Monterey County networks must only be made by persons who are
authorized by the IT Department. This
process prevents unexpected changes from inadvertently leading to denial of
service, unauthorized disclosure of information, and other problems.
This process applies not only to "workers" as defined in the
Scope section of this policy, but also to vendor personnel.
Workers must NOT establish electronic bulletin boards,
local area networks, modem connections to existing local area networks, or other
multi-user systems for communicating information without the specific approval
of the Director of the Information Technology Department.
Likewise, new types of real-time connections between two or more in-house
computer systems must not be established unless such approval has first been
obtained. This policy helps to
ensure that all Monterey County systems have the controls needed to protect
other network-connected systems. Security
requirements for a network-connected system are not just a function of the
connected system, they are also a function of all other Monterey County
Participation in external networks as a provider of
services that external parties rely upon is expressly prohibited unless
explicitly permitted by the Director of Information Technology in writing. Acting as an Internet node is an example of such
All Monterey County computers that intermittently or
continuously connect to an internal or external network must employ
password-based access controls. Multi-user
computers must employ software which restricts access to the files of each user,
which logs the activities of each user, and which has special privileges granted
to a systems administrator. Single-user
systems must employ access control software that includes boot control and an
automatic screen blanker that is invoked after a certain period of no keyboard
(or other input device) activity. Portable
computers and home computers which contain Monterey County information are also
covered by this policy, as are network devices such as gateways, routers, and
To stop unauthorized system access and related problems,
all inter-processor commands from non-Monterey County locations are prohibited
unless a user or process has first properly logged-in.
An example of such commands are remotely-initiated requests for a list of
users currently logged-in.
Users initiating sessions via dial-up lines connected to
Monterey County internal networks and/or multi-user computer systems must pass
through an additional access control point (firewall) before users employing
these lines can reach a log-in banner. Although
other forms of firewalls are possible, Monterey County now provides such access
via dynamic passwords (specifically the hand-held token system).
Unless approved in advance by the Director of Information Technology,
dial-up connections that do not go through approved firewalls in order to reach
Monterey County internal-network connected systems are prohibited.
This policy applies to Internet inbound calls as well as Electronic Data
Remote maintenance ports for Monterey County computer and
communication systems must be
disabled until the specific time as they are needed by the vendor.
These ports must then be again disabled immediately after use.
Alternatively, dial-up connections can be established with vendors via
outbound calls initiated by Monterey County workers. No firewall access control
is needed for either type of connection.
Portable phones using radio technology as well as
cellular phones must not be used for data transmissions containing Monterey
County "confidential" or "restricted" information unless the
connection is encrypted. Likewise,
other broadcast networking technologies--such radio-based local area
networks--must not be used for these types of Monterey County information unless
the link is encrypted. Such links
may be used for electronic mail as long as the user understands that it contains
no "confidential" or "restricted" information.
6.7 Computer Viruses, Worms, and Trojan Horses
A computer virus is an unauthorized program that
replicates itself, attaches itself to other programs, and spreads onto various
data storage media (floppy disks, magnetic tapes, random access memory, etc.)
and/or across a network. The
symptoms of virus infection include much slower computer response time,
inexplicable loss of files, changed modification dates for files, increased file
sizes, and total failure of computers.
To assure continued uninterrupted service for both
computers and networks, all microcomputer (Macintosh and IBM-PC) users must keep
approved virus screening software enabled on their computers. This screening software must be used to scan all software
coming from either third parties or other Monterey County departments; the
scanning must take place before the new software is executed. Users may not bypass scanning processes that could arrest the
transmission of computer viruses.
Although users are responsible for eradicating viruses
from their systems whenever they have been detected, they must immediately call
the Information Technology Department's "hot-line" whenever they
believe that a system has been infected. This
will allow steps to promptly be taken to assure that no further infection takes
place and that experts needed to eradicate the virus are promptly engaged.
To assist with the post-virus-infection restoration of
microcomputer computing environments, all microcomputer software must be copied
prior to its initial usage, and such copies must be stored in a safe place.
These master copies must not be used for ordinary business activities,
but must be reserved for recovery from computer virus infections, hard disk
crashes, and other computer problems. These
master copies must also be stored in a secure location.
Larger systems do not generally suffer from viruses, but they do suffer from worms and Trojan horses. Worms are much like viruses, but do not attach themselves to other programs. Trojan horses are unauthorized programs hidden within authorized programs. To prevent problems with viruses, worms, and Trojan horses, Monterey County computers and networks must not run software that comes from sources other than: (a) business partners, (b) knowledgeable and trusted user groups, (c) well-known systems security authorities such as Carnegie Mellon University's Computer Emergency Response Team (aka CERT), (d) computer or network vendors, or (e) commercial software vendors. Software down-loaded from electronic bulletin boards, shareware, public domain software, and other software from untrusted sources must not be used unless it has first been subjected to a rigorous testing regimen approved by the Chief Security and Privacy Officer.
When Monterey County "confidential" or
"restricted" information is transmitted over any communication
network, it must be sent in encrypted form.
Likewise, whenever Monterey County source code, or source code that has
been entrusted to Monterey County by a business partner, is to be sent over a
network, it too must be in encrypted form.
Similarly, whenever "confidential" or
"restricted" information is not being actively used, it must be stored
in encrypted form. This means
that when "confidential" or "restricted" information is
stored or transported in computer-readable storage media (such as magnetic tapes
or floppy disks), it must be in encrypted form.
Encryption of information at rest (in storage) or in
transit (on a network) must be achieved via commercially-available products
approved by the Information Technology Department.
The algorithm called the Data Encryption Standard (DES) is recommended,
but because it is not exportable, secured international communications will
often need to use other algorithms.
Whenever encryption is used, workers must not delete the
sole readable version of the information unless they have first demonstrated
that the decryption process is able to reestablish a readable version of the
Encryption keys used for Monterey County information are
always classified as "confidential" or "restricted"
information. Access to such keys
must be strictly limited to those who have a need-to-know. Unless the approval of the Chief Security and Privacy Officer
is first obtained, encryption keys must not be revealed to consultants,
contractors, temporaries, or third parties.
Likewise, encryption keys must always be encrypted when sent over a
Whenever such facilities are commercially available,
Monterey County must employ automated rather than manual encryption key
management processes for the protection of information on Monterey County
6.9 Remote Printing
Printers must not be left unattended if
"restricted" or "confidential" information is being printed
or will soon be printed. The
persons attending the printer must be authorized to examine the information
being printed. Unattended printing
is permitted if the area surrounding the printer is physically protected such
that persons who are not authorized to see the material being printed may not
6.10 Right to Audit and Examine
Unless contractual agreements dictate otherwise, messages
sent over Monterey County computer and communications systems are the property
of Monterey County. To properly
protect and manage this property, management reserves the right to examine all
data stored in or transmitted by these systems.
Since Monterey County's computer and communication systems must be used
for business purposes only, workers should have no expectation of privacy
associated with the information they store in or send through these systems.
When providing computer networking services, Monterey
County does not provide default message protection services such as encryption.
Accordingly, no responsibility is assumed for the disclosure of
information sent over Monterey County's networks, and no assurances are made
about the privacy of information handled by Monterey County internal networks.
In those instances where session encryption or other special controls are
required, it is the user's responsibility to make sure that adequate security
precautions have been taken. Nothing
in this paragraph should be construed to imply that Monterey County policy does
not support the controls dictated by agreements with third parties (such as
organizations which have entrusted Monterey County with confidential
The Director of Information Technology acknowledges that
under rare circumstances, certain workers will need to employ systems that are
not compliant with these policies. All
such instances must be approved in writing and in advance by the Director of
Information Technology and/or the Chief Security and Privacy Officer.
Access control: A
system to restrict the activities of users and processes based on the
Agents: A new
type of software that performs special tasks on behalf of a user, such as
searching multiple databases for designated information.
mathematical process for performing a certain calculation; generally used to
refer to the process for performing encryption.
Badge reader: A
device which reads badges and interconnects with a physical access control
process of initializing a computer system from a turned-off state.
device which interconnects networks or that otherwise allows networking circuits
to be connected.
device that requires the entry of passwords at doors and which provides physical
access control over a room or building.
A document used to obtain a promise from a computer user that such user will
abide by system policies and procedures.
A designation for information, the disclosure of which is expected to damage
Monterey County or its business affiliates (see restricted information).
Any information essential to Monterey County's business activities, the
destruction, modification, or unavailability of which would cause serious
disruption to Monterey County's business.
Cryptographic challenge/response: A process for identifying computer users involving the
issuance of a random challenge to a remote workstation, which is then
transformed using an encryption process and a response is returned to the
connected computer system.
Data Security Classification - Monterey County data is classified into two basic
(1) Nonsensitive - Data is classified as "nonsensitive"
if unauthorized modification, destruction, loss, disclosure, or unavailability
of the data is not expected to cause interruption, setback, or damage to
Monterey County's business goals or reputation.
(2) Sensitive - Data is classified as
"sensitive" if unauthorized modification, destruction, loss,
disclosure, or unavailability of the data would cause an interruption, setback,
or damage to Monterey County's business goals or reputation.
Default file permission:
Access control file privileges (read, write, execute, etc.) granted to computer
users without further involvement of either a security administrator or users.
An initial password issued when a new user-ID is issued, or an initial password
provided by a computer vendor when hardware/software is first delivered.
Downloading - The
transfer of data from a host computer (mainframe, minicomputer, network server,
etc.) system to a connected workstation, such as a personal computer.
A password which changes each time a user logs-into a computer system.
Encryption - A
process involving data coding to achieve confidentiality, anonymity,
time-stamping, and other security objectives.
The process of transforming computer-based readable data into an
unintelligible form called "ciphertext."
Reversing the encryption process and transforming the ciphertext back
into its original "plaintext" form is called decryption. The encryption and decryption methods are designed so that
only the desired recipient, with the appropriate key, may decrypt the ciphertext.
Encryption key: A
secret password or bit string used to control the algorithm governing an
End-user: A user
who employs computers to support Monterey County business activities, who is
acting as the source or destination of information flowing through a computer
Extended user authentication technique: Any of various processes used to bolster the user
identification process achieved by user-IDs and fixed passwords (see hand-held
tokens and dynamic passwords).
logical barrier stopping computer users or processes from going beyond a certain
point in a network unless these users or processes have first passed some
security check (such as providing a password).
Front-end telecommunications processor: A small computer used to handle communications
interfacing (polling, multiplexing, error detection, etc.) for another computer.
computer system used to link networks which can restrict the flow of information
and which employs some access control method.
Information retention schedule: A formal listing of the types of information that must
be retained for archival purposes and the timeframes that these types of
information must be kept.
A computer which is not connected to a network or any other computer; a
stand-alone personal computer is an example.
Log-in banner: The
initial message presented to a user when he or she first makes connection with a
Log-in script: A set
of stored commands which can log a user into a computer automatically.
Master copies of software:
Copies of software which are retained in an archive and which are not used for
normal business activities.
Microcomputer - A
general purpose or portable (including laptop) computer consisting of one or
more microprocessors assembled in a unit that will fit on top of a desk.
The unit typically consists of a central processing unit (CPU), video
display, keyboard, disk drive, and a number of peripheral devices such as a
printer and CD-ROM drive. The terms
"microcomputer" and "personal computer" (PC) are considered
synonymous and may be used interchangeably in this document.
Multi-user computer system:
Any computer that can support more than one user simultaneously.
Owner - The
principal user representative who has been charged with responsibility for a
particular application system or data collection (for example a database).
The Owner is the focal point for all user activity with respect to the
application or data collection in question, including the specification of
security requirements and related access control restrictions.
Password guessing attack:
A computerized or manual process whereby various possible passwords are provided
to a computer in an effort to gain unauthorized access.
Password reset: The
assignment of another (temporary) password when a user forgets or loses his/her
Password-based access control: Software which relies on passwords as the primary
mechanism to control system privileges.
secret string of characters used to positively identify a computer user or
The process of definitively establishing the identity of a computer user.
authorized ability to perform a certain action on a computer, such as read a
specific computer file.
A user-ID which has been granted the ability to perform special activities, such
as shut down a multi-user system.
Particularly sensitive information, the disclosure of which is expected to
severely damage Monterey County or its business affiliates (see confidential
device that interconnects networks using different layers of the Open Systems
Interconnection (OSI) Reference Model.
Screen blanker: See
Screen saver: A
computer program that automatically blanks the screen of a computer monitor or
CRT after a certain period of no activity.
A commercial dynamic password system which employs a smart card to generate
one-time passwords that are different for each session.
Security patch: A
software program used to remedy a security or other problem (commonly applied to
Any information, the disclosure of which could damage Monterey County or its
A password known by and/or used by more than one individual.
Software macro: A
computer program containing a set of procedural commands to achieve a certain
Special system privilege:
Access system privileges allowing the involved user or process to perform
activities which are not normally granted to other users.
Suspending a user-ID:
The process of revoking the privileges associated with a user-ID.
A designated individual who has special privileges on a multi-user computer
system, and who looks after security and other administrative matters.
Terminal function keys:
Special keys on a keyboard that can be defined to perform certain activities
such as save a file.
The transfer of data from a connected device, such as a personal computer, to a
host system (mainframe, minicomputer, etc.).
known as accounts, these are character strings that uniquely identify computer
users or computer processes.
Information of significant financial value to Monterey County or another party.
Verify security status:
The process by which controls are shown to be both properly installed and
Virus - A
parasitic software program, equipped with the means of reproducing itself, that
spreads throughout a computer or network by attaching itself or infecting other
software or diskettes. A worm is a
similar program that propagates across a network by making copies of itself.
Virus screening software: Commerically-available software that searches for certain bit patterns or other evidence of computer virus infection.
ROLES AND RESPONSIBILITIES
Information Technology Steering Committee - at quarterly and ad hoc meetings, this committee will:
(a) periodically review the status of Monterey County's computer and network
security, (b) as needed, review and monitor remedial work related to computer
and network security incidents, (c) authorize and later judge the results of
major projects dealing with computer and network security, (d) approve new or
modified information security policies, standards, guidelines, and procedures,
and (e) perform other high-level information security management activities.
Director of Information Technology - establish
and maintain organization-wide information systems security policies.
Periodically designate individuals to audit compliance with computer and
network security policies
Department of Information Technology - establish security standards and provide technical
guidance on security to all Monterey County employee groups. Organize a computer emergency response team (CERT) to respond
to virus infestations, hacker intrusions, and similar events. Review proposals
for electronic bulletin boards, local area networks, modem connections to
existing local area networks, or other multi-user systems for communicating
information for appropriateness under adopted policies.
Review Monterey County participation in external networks, or as a
provider of services that external parties rely on, for appropriateness under
Chief Security and Privacy Officer -
implement, administer, and interpret organization-wide information systems
security policies. Establish and
maintain security standards, guidelines, and procedures in support of adopted
policy. While responsibility for
information systems security on a day-to-day basis is every worker's duty,
specific guidance, direction, and authority for information systems security is
centralized for all of Monterey County and its subsidiaries in the Chief
Security and Privacy Officer. Accordingly,
this person and subordinates will perform information systems risk assessments,
prepare information systems security action plans, evaluate information security
products, and perform other activities necessary to assure a secure information
systems environment. Coordinate
individual department security activities through the local Information Security
Local Information Security Officers (ISOs) - monitor local compliance with security requirements,
including hardware, software, and data safeguards.
ISOs must ensure that their division or office is in compliance with
security policy established in this document.
ISOs must also provide administrative support and technical guidance to
management on matters related to microcomputer security.
Information Technology Asset Owners – periodically conduct a risk assessment of each asset
for which they are responsible to determine both risks and vulnerabilities.
Ensure appropriate security measures are implemented on these systems in
a manner consistent with the level of information sensitivity stored and
communicated over these assets. Maintain
information and resource access controls. Ensure
the sensitivity of data is defined and designated on these systems in a manner
consistent with in-house sensitivity classifications.
Department Managers and Supervisors – ensure that employees under their supervision
implement security measures as defined in this document and as appropriate to
data sensitivity classifications. Nominate
local Information Security Officers to liaise with the Chief Security and
Privacy Officer. Inform employees
under their supervision of security issues and promote security awareness.
Enforce compliance with the policies and procedures outlined in all
Monterey County documents that address information security.
Conduct pre-exit security clearance processes upon termination of
employment of officers or employees or fulfillment of contractual agreements.