IT Computer Security

Security

Objective: Almost all LaPorte County Government business and administrative functions involve the use of computer or telecommunication technologies. Information is processed and stored in vast amounts on minicomputer and microcomputer systems. It is the responsibility of every LaPorte County Government employee and contract worker to safeguard the information and the physical assets of these systems. Computer security procedures are intended to reduce or eliminate threats to computer systems and electronic information. Many of these threats do not result from malicious intent; rather they stem from basic human error. Care and awareness are the two most significant safeguards. All employees and contract staff must know what is and is not allowed in the access to and the use of computer systems and equipment.

1.1 General Security Guidelines: LaPorte County Government will develop and maintain policies and controls to ensure the security of computing and telecommunication equipment, the physical premises housing the equipment and the data used, stored or produced on the equipment. These policies and controls will be approved by the LaPorte County Data Board and LaPorte County Commissioners. The Information Technology Department will develop and maintain these policies on behalf of the government. LaPorte County Government Departments may develop supplemental policies and controls to accommodate specific requirements. These policies may not compromise government policies and controls. Roles and Responsibilities:LaPorte County Information Technology is responsible for implementing and enforcing adequate computer security policies throughout the organization. LaPorte County Information Technology is responsible for ensuring that an adequate level of security and backup exists for all data whether processed or stored in-house or externally. LaPorte County Information Technology is responsible for ensuring that all of its automated processes are designed, developed and tested so that they function accurately and effectively. LaPorte County Information Technology is responsible for ensuring that all personnel, whether employed by LaPorte County Government or under contract to a department, are made aware of the appropriate security policies and procedures and of their responsibility to conform to those policies and procedures. LaPorte County Information Technology is responsible for ensuring that all computing facilities processing LaPorte County Government information comply with LaPorte County Government security specifications. LaPorte County Information Technology is responsible for ensuring that all staff receive adequate training in the use of hardware and software required for the performance of their jobs. LaPorte County Information Technology is responsible for ensuring that all software installed on LaPorte County Government computers is properly licensed and authorized. Each Department Head is delegated responsibility and authority to implement and enforce these policies within their own department, following LaPorte County's DISCIPLINARY WARNING PROCEDURE in the PERSONNEL POLICY MANUAL, wherever and whenever it is in their control to do so.

1.2 Security Awareness Policy: The Information Technology Department and LaPorte County Government Department Heads are responsible for communicating computer security policies and procedures and for promoting and monitoring their use. Standards and Procedures: The Information Technology Department will develop and maintain the Computer Security Policies and Procedures. The Information Technology Department will review the Computer Security Policies and Procedures on an annual basis. A copy of the Computer Security Policies and Procedures will be provided to each LaPorte County Government Department by the Information Technology Department. Department Heads will ensure that all employees and contract workers in their departments are aware of and have access to the Computer Security Policies and Procedures. The Information Technology Systems Department working with Internal Audit, will report periodically to department heads on the level of adherence to the Computer Security Policies and Procedures.

1.3 Physical Security Policy: Information Technology will develop and observe standards and procedures to ensure security of the physical premises and computing equipment. Limitations: Security for equipment such as personal computers, printers, modems, etc., which is maintained outside the physical control of Information Technology is the responsibility of the LaPorte County Government Department where that equipment resides. Standards and Procedures:Access to computer and server rooms will be limited to staff who require access for the normal performance of their job. Offices where Equipment is housed must be locked during non business hours. Equipment housed in open areas should be attached to an immovable object by a security cable if possible. Electrical power protection devices to suppress surges, reduce static, and provide battery backup in the event of a power failure should be used as necessary. Equipment which is to be removed from LaPorte County Government property daily or on occasion must have prior approval from the Department Head and Information Technology.

1.4 Network Security Policy: Information Technology will develop and observe standards and procedures to maintain security on all of its computer networks to protect the security of LaPorte County Government data and of access to LaPorte County Government computer systems. Standards and Procedures: Information Technology will ensure that the software security implemented on the networks it manages is installed and functioning correctly. Information Technology will monitor network security on a regular basis. Adequate information concerning network traffic and activity will be logged to ensure that breaches in network security can be detected. Information Technology will implement and maintain procedures to provide adequate protection from intrusion into LaPorte County Government's computer systems from external sources. Any computer containing sensitive data will be secured from unauthorized access by network-level security procedures. No computer that is connected to the network can have stored, on its disk(s) or in its memory, information that would permit access to other parts of the network. For example, scripts used in accessing a remote host may not contain passwords.

1.5 Data Security Policy:Information Technology will develop and observe standards and procedures to ensure the security of technical and user data. Limitations:Security for the data stored on computer systems must be determined by the owner of the data. The standards and procedures herein should be adhered to accordingly. Passwords: Each user should be assigned and be responsible for their own unique user ID and password. A password should be known only to the authorized user of that ID and password. Passwords should be treated as confidential information. They should not be written down or shared with other users. Users should select passwords that conform to standards, as to size and characters used, and cannot be easily guessed by other users. User access should also be restricted to only those functions they are authorized to perform. Confidential data should be protected by passwords which are known only to authorized personnel. Passwords will be changed periodically to maintain security. Department Heads must notify Information Technology of personnel leaving their department who have terminated employment or have been assigned to other duties. Information Technology will then delete that user ID or adjust access rights as directed by the new Department Head. Standards and Procedures: Data encryption techniques should be used when highly confidential information is stored. If a Department Head feels encryption is necessary, contact Information Technology Systems for assistance.The required data security level, as determined by the owner, must be retained when the data is moved or copied to another system. Confidential documents must have in the header or foot of the document words stating that the document is confidential. Example: LAPORTE COUNTY CIRCUIT COURT CONFIDENTIAL. Printed reports containing confidential data must be stored and discarded appropriately. Determining confidentiality is determined by owning department. Users must sign off their terminal when leaving it unattended.

1.6 Personal Computer Security Policy: Information Technology will develop and observe standards and procedures to ensure adequate security for personal computers and the applications and data stored on them.