|Subject:||Information Technology Operations Policy|
|Date Issued:||September 10, 2002
1st Revision –January 9, 2007
|Issued by:||Director of Information Technology, as recommended by the Department Head Information Technology Steering Committee|
|Applies to:||All Officers and employees|
To afford a maximum amount of availability for accessing and using information technology resources, to ensure referenced information is current and in support of the County’s mission and values, and to afford a minimum amount of business process interruptions from information technology resource operations and/or maintenance activities.
Information technology resources shall be operated and maintained in a manner that supports high availability for utilization and minimizes the risk of business interruption. To the fullest extent possible non-emergency maintenance activities shall be performed in time periods during which a resource is not typically utilized for business purposes (i.e. normal lunch periods, after 5 p.m., etc.) If no such time period exists, or if urgency dictates otherwise, to the fullest extent possible a scheduled outage will be negotiated with the owners of the assets impacted and as a minimum notification of the outage will be broadcast to the user community prior to taking a resource out of service for maintenance. Such notices shall include a description of the reason for the outage, the projected time at which service will be restored, and afford the users of the resources an opportunity to initiate alternative communications or data collection and processing activities. Only extreme emergencies shall justify stopping of an information technology resource without having taken such steps.
Operations staff and/or system administrators are responsible for maintaining records of hardware and/or software failures including descriptive information about the failure, the date and time of the failure and the date and time that the resource was returned to normal service, general conditions at the time of the failure, any unusual activity observed prior to the failure, information received about correcting the failure, and the corrective actions taken.
All shared communications and information processing devices (mainframes, mid-range processors, servers of all types (application, database, workgroup, etc.), network routers, bridges, and switches, etc.) shall be labeled by operations staff with information recording the purpose or function of the device and/or other data that links specific devices to other asset management records such as the owner, capabilities, etc. Operations staff and/or systems administrators are responsible for maintaining documentation about the information technology resources they operate, including appropriate manufacturer specifications for operations, owner’s manuals, licensing agreements, operations manuals, error and system message manuals, technical support manuals, user manuals, training materials, procedures for the conduct of operational activities, backup and recovery procedures, and other related information.
All shared communications and processing resources (mainframes, mid-range processors, servers of all types (application, database, workgroup, etc.), network routers, bridges, and switches, etc.) shall be installed with their own dedicated source of power, a surge protector, and with a back-up UPS (uninterrupted power supply) with sufficient capacity to prevent an equipment failure if the main power supply fails. As a safety precaution fire extinguishers or systems shall be installed in close proximity to these electronic devices and be of a type that complies with fire regulations and codes, but minimizes damage to electronic equipment when discharged near the devices. Smoke detection and alarms are required. Materials used in constructing computer rooms should be fire retardant and resistant.
Shared communications and processing resources shall not be installed adjacent to any natural gas or liquid-transporting pipes, high voltage lines, magnetic radiation, or areas that may be subject to flooding or periodic water damage.
Shared communications and processing resources shall be located in secured areas to be free from unauthorized access and tampering. Installation of these devices shall include provisioning for cooling (air conditioning) and other environmental requirements (i.e sound barriers, humidity monitoring and treatment, electro-magnetic shielding, etc.) to permit normal high availability operations. Such locations shall normally be free of signage or other obvious indicators of the functions of the equipment to maintain a low profile and not advertise mission critical sites.
Shared communications and processing resources shall be installed with provisions for making backup copies of configuration information and data normally stored on the device and restoring that information should a device failure occur. The method and frequency of making backup copies shall be established by business need and be a function of managing the risk of data loss. Typically for servers this will consist of a full backup being made at least weekly, with daily incremental backups being taken on a daily basis. For high volume transaction applications various techniques such as transaction logging may be utilized to supplement application backups and assist with recovering from device failures.
Referenced and/or linked information that is maintained outside of the control of County personnel will be considered suspect and be subject to review and scrutiny by appropriate staff and officials for conformance with the County’s information technology policies and interests before establishing a permanent link to County resources and periodically thereafter to ensure continued compliance with such policies and interests. Any referenced and/or linked information that is found out of compliance with County policies and conformance with County interests will immediately be disconnected and disassociated from the County’s information technology resources.
WEB SITE LINKS
The County of Monterey website and the associated departmental websites may provide hypertext links to external websites as a convenience for users. The County of Monterey is not responsible for the subject matter or accessibility of these external sites. A notice of disclaimer regarding such responsibilities will be posted on County web pages containing external links to inform users that the links and the material and information contained upon them are provided as a public service. Accordingly, the information presented on linked web pages is not intended to serve as legal or financial advice and may not conform with County policy and/or opinions. As maintenance of information on externally linked web pages is not conducted by County personnel, the County cannot warrant the completeness, accuracy, timeliness, intent, or even the actual messages being presented. Further, because of the dynamic nature of the Internet and because external sites are frequently under development or in a process of change, the materials and information contained on such pages may be modified, deleted, moved, or altered to inappropriate content without advance notice. Therefore, the user must expressly agree that following such links is at the sole risk of the user.
The appointed webmaster for a specific County web page and the Department Head of the represented department are responsible for the creation and maintenance of links to external web sites appearing on those pages. The Director of Information Technology is responsible for the County web pages. In no case shall an external link be placed upon any County or County department web page without having undertaken the formal link review process as follows:
Each proposed link must meet at least one of the following criteria:
The site is an official website of another government entity, including local, regional, state, or federal government agency, public or private credentialed educational institution, or special district.
The site is provided as a part of a service that the County contracts for via a subscription, license fee, transactional fee, or other financial arrangement which binds the provider to maintain the site in a condition suitable for use by employees and the public at large.
The site provides utility or transit service information to County residents.
The site provides emergency information, such as flood management, river conditions, weather & travel conditions, road & Traffic conditions, homeland security, or emergency assistance/aid.
The site contains useful health related information or alerts local to Monterey County, important health emergency information, and medical reference information.
The site contains reference materials and/or informational items that the County subscribes to, or contracts for access to, as a part of its business operations and functions.
The site is a non-profit organization making a difference in our community through its donations and volunteers, or provides information, services or programs of specific interest to the Monterey County community.
The site provides information on laws and regulations.
The site contains recognition involving Monterey County with respect to achievement awards or noteworthy accomplishments and activities.
The site contains local news and community events.
The site contains useful information about visiting Monterey County and the immediate region.
The site provides a community guide for the Monterey County area.
Under no circumstances will an external link from a County web page be provided to a site that meets any of the following prohibitions. This is not to be considered an all inclusive list of exclusions.
The site content is not suitable for readers or viewers of all ages.
The site has content that a reasonable person may not consider to maintain the dignity and decorum appropriate for government.
The site has distasteful, offensive, obscene or objectionable content.
The site is primarily for or about political campaigns.
The site content promotes the use of alcohol, tobacco or any other controlled substance.
The content promotes or describes illegal activities.
The content is in essence a personal homepage.
The site is primarily a chat room or bulletin board.
The site is essentially a commercial retail site promoting products or services, unless the site is maintained by a commercial business partner of the County and the site is used for the conduct of official County business, or the site affords product or service information of concern to the County or in support of County Programs.
The content is primarily editorial in nature.
Each site being proposed for an external link from a County web page shall be examined and analyzed by the appointed webmaster and responsible Department Head for the page upon which the link is proposed to be displayed to verify conformance with the above criteria. Should the site fail on any of the above criteria the webmaster shall not post the link. Should the webmaster and Department Head question whether a site qualifies for the addition of an external link, the proposed site will be submitted for consideration by a group consisting of County Administrative Officer, Chief Security and Privacy Officer, and the Director of Information Technology. Only upon a unanimous approval by the reviewing group may the link be added to the proposed County page. Should the County Administrative Officer, Chief Security and Privacy Officer, or Director of Information Technology disagree with the external link appearing on a County web page, the appointed webmaster shall immediately remove the link.
When a request for an external link is received from the general public, the request will be forwarded to the Director of the Information Technology Department. The Director will forward a written communication to the requesting party stipulating the requestor to provide a written communication on the letterhead of the organization represented on the website detailing as a minimum:
Upon review and verification of the information received the Director of Technology will coordinate with the Department Head(s) most likely to be involved with content on the proposed link site and based upon the Department Head’s recommendation authorize the establishment of the link. Should the webmaster and Department Head question the appropriateness of the link the Director of Technology will forward the letter for consideration by a group consisting of the County Administrative Officer, Chief Security and Privacy Officer, and the Director of Information Technology for compliance with County information technology policies. Only upon a unanimous approval by the reviewing group may the link be added to the proposed County page. Should the County Administrative Officer, Chief Security and Privacy Officer, or Director of Information Technology disagree with the external link appearing on a County web page, the appointed webmaster shall immediately remove the link.
The County reserves the right to deny a request for any reason and without notice either establish a link, or remove it from the County’s web pages. If an external site or link is observed to be non-operational the link will be removed by the appointed webmaster for the page upon which the link appears. If during a periodic audit of linked site content a change in conformance of the site with this policy is detected, the webmaster will immediately removed the link.
County of Monterey Departmental websites will be reviewed for compliance with this Policy by a Webmaster Review Group on a cyclical basis with the target being to review each website at least once annually. The group’s report of findings will be provided to the Department Head and Webmaster responsible for the reviewed site for resolution of any issues which surface during the review.
Each County or Departmental homepage will contain the following disclaimer language;
“The County of Monterey Website contains hypertext links to external websites. The County of Monterey is not responsible for the subject matter or accessibility of these external websites, and the County does not endorse any entity or product for which a link may be provided. External links are provided as a convenience for users of this site. Once you leave the County of Monterey Website and link to an external site, the County of Monterey Privacy & Security Policies no longer apply. ”
DATA AND PROGRAM BACK-UP
To protect Monterey County's information resources from loss or damage, microcomputer users are responsible for backing-up the information on their machines. For multi-user computer and communication systems, a systems administrator is responsible for making periodic back-ups. If requested, the Information Technology Department will install, or provide technical assistance for the installation of back-up hardware and/or software.
All sensitive ("restricted" or "confidential"), valuable, or critical information resident on Monterey County computer systems and networks must be periodically backed-up. User department managers must define which information and which machines are to be backed-up, the frequency of back-up, and the method of back-up based on the following guidelines:
Nothing in the timeframes for periodic back-up mentioned immediately above restricts the generation of more frequent back-ups, as will occasionally be required for operational and business reasons.
Monterey County requires the use of at least three (3) sets of back-up storage media (tapes, CD-ROMs, etc.) to be used in rotation. For multi-user machines, whenever systems software permits, back-ups should be performed without end-user involvement, over an internal network and during the night.
Storage of back-up media is the responsibility of the microcomputer user or multi-user machine systems administrator involved in the back-up process. Media should be stored in fireproof safes, at a separate location at least several city blocks away from the system being backed-up.
Unless the type of information is specifically listed on Monterey County's Information Retention Schedule, information should retained as long as needed, but for no longer. Information listed on the Information Retention Schedule must be retained for the period specified. Other information must be destroyed when no longer needed--generally within two (2) years.
To prevent it from being revealed to or used by unauthorized parties, all Monterey County "restricted" or "confidential" information stored on back-up computer media (magnetic tapes, floppy disks, optical disks, etc.) must be encrypted using approved encrypting methods.
Operations staff and/or system administrators are responsible for maintaining a safe and clean work area around all shared information technology resources. Physical access to the equipment should restricted as required by security policies, but not obstruct maintenance and repair activities that will likely be necessary during the operational life of the device.
Eating and drinking are prohibited in close proximity to shared communications and processing resources and signs to this effect are to be posted in the room where such equipment is located.
Proper disk, diskette, CD-ROM, floptical-disk, DVD, magnetic tape, and other data recording media handling processes shall be followed at all times. Media of this type shall be stored in proper containers when not in use. Storage containers will be filed in place when not in use. External labels shall be placed upon the media and their storage containers identifying the contents of the being stored upon the media, or referencing an index of the same intent.
Backup – a copy of a file, directory, or volume placed on a separate storage device for the purpose of retrieval in case the original is accidentally erased, damaged, or destroyed.
Documentation – the instructions and references that provide the necessary information to use information technology resources or provide the basis for understanding the function sufficiently to support altered uses in the future.
Hypertext – text that can have embedded links to other text, locations, or data sources.
Link – hypertext that allows navigation from one website and page to another simply by clicking of a mouse pointer over the hypertext.
Mainframe – a large computer generally with multiprocessing power and the capacity to support many users at once.
Microcomputer – typically smaller computers that employ microprocessor chip technology. These can be identified as: palm type, mini-notebooks, notebooks, laptops, transportable, mobile, desktop, work stations and personal computers (PCs).
Midrange computer – a multi-user computer, generally with more power than a personal computer yet not as large as a mainframe.
Surge protector – an electrical device that prevents high-voltage spikes outside the normal line supply voltage range from reaching the computer system.
Uninterrupted Power Source (UPS) – a device that provides electric back-up power to a computer system or other device when the normal electric power supply fails.
URL – (Uniform Resource Locator). A form of pointer that locates information on the Internet.
Web browser – software programs that use the standards and protocols of the Internet, especially the World Wide Web, to make it possible for any computer platform to connect with and utilize the Internet for communications.
Web page – An HTML document tat contains information which can be seen on the Internet using a web browser.
Webmaster – the individual assigned to create and maintain content and navigation tools on a particular website or collection of web pages.
Website – An Internet network location (URL) consisting of a computer attached to the Internet hosting web pages.
Workstation – a highly intelligent microcomputer often found on a LAN or client/server system.
ROLES AND RESPONSIBILITIES
Information Technology Steering Committee – periodically review current operations practices and amend this policy as recommended and necessary.
County Departments – take steps to ensure this policy is implemented and followed by responsible parties. Conduct periodic audits and samples of operational practices to validate conformance. Initiate investigations of alleged violations of this policy and implement corrective actions as warranted.
County Officers and employees – understand the responsibilities of information technology operations policy. Take appropriate actions in conformance with the policy when job responsibilities include operation or administration of information technology resources. Notify responsible parties and management of observed violations of information technology operations policy.
Webmasters – review the operability and content of websites either linked, or being considered for linking, to County web pages. Assess the content of those pages for compliance with the County’s Information Technology Policies and act in accordance with those policies.