07

Document Sample
07 Powered By Docstoc
					Kern County Administrative Policy and Procedures Manual

CHAPTER 7 INFORMATION TECHNOLOGY SERVICES PROCEDURES

Section 701. 702. 703. 704. 705. 706. 707. 708. 709. 710. 711. 712.

Page General Statement .................................................................................................................................. 1 Information Technology Services Division Responsibilities ................................................................. 1 Technology Advisory Committee Functions ......................................................................................... 1 Request for Information Technology Services....................................................................................... 1 Request Prioritization and Approval ...................................................................................................... 2 Project Scheduling ................................................................................................................................. 2 Charges for Services .............................................................................................................................. 2 Software Licensing and Use Policy ...................................................................................................... 2 Electronic Communications Usage Policy ............................................................................................ 2 Remote Access to Computer Network Security Policy ......................................................................... 3 Technology Standards Policy ................................................................................................................ 3 Information Security Policies ................................................................................................................ 3

Kern County Policy and Administrative Procedures Manual

7:1

CHAPTER 7 INFORMATION TECHNOLOGY SERVICES

701. General Statement. Policies and procedures adopted by the Board of Supervisors direct the delivery of technology services to departments, and the use of the County’s technology infrastructure by employees and the public. The purpose of this Chapter is to define, clarify, and provide guidance on the implementation and adherence to these policies and procedures. 702. Information Technology Services Division Responsibilities. The Information Technology Services Division (ITS) of the County Administrative Office supports the integration of technology and serves as a resource for coordinating projects between departments. Specific responsibilities of ITS include the following: a. Mainframe computer operation, application development and legacy systems maintenance b. Wide Area Network operation and maintenance c. Web-based application development and maintenance d. Internet service provider operation and maintenance e. Countywide e-mail system administration f. Telephone communications system operation and maintenance g. Disaster recovery plan coordination and implementation leader h. Technology Advisory Committee resource i. Providing technology advice and consultation to departments and facilitate access to experts j. Developing and maintaining County web site content k. Intranet site development, maintenance and operation and firewall administration l. Network security, including firewall, anti-virus, and SPAM filtering administration and coordinating security policy development (Rev. 03/06) 703. Technology Advisory Committee Functions. The Technology Advisory Committee (TAC) was established by the Board of Supervisors to recommend policy and direction for Countywide technology issues. The TAC membership is as specified by the Board and is representative of all departments. The TAC’s policy recommendations are subject to Board of Supervisors’ approval. All departments are encouraged to participate in the formulation of the TAC’s policy recommendations. 704. Request for Information Technology Services .1 Programming and production run requests—mainframe and web applications. .1.1 Major Applications. User groups and steering committees have been formed for the major applications supported by ITS. The user groups identify enhancements or changes required and prioritize the work. The advisory committees approve the priority list. Software enhancement and new software systems are requested on Form #0350-A, Request for Data Processing (RDP)—Systems and Programming Requests, which is available on CountyNet (applications menu). Special production runs of batch jobs on the mainframe computer are requested via CountyNet—Production Run Request (applications menu). (Rev. 03/05) .1.2 Minor Applications. Departments that require programming assistance for minor applications may request such by a memorandum which concisely details the nature of the problem or service requested and the end product desired. These requests will be prioritized based on severity of the problem/need and the resources available. .2 Office Technology Assistance. Requests for support, consultation, and problem resolution for office technology may be done by a memorandum that concisely details the nature of the problem or service requested

Kern County Policy and Administrative Procedures Manual

7:2

and the end product desired. These requests are prioritized based on the severity of the problem/need and the resources available. .3 Telecommunications Assistance. Requests for support, consultation, project management, and problem resolution for telecommunications equipment and systems may be done by a memorandum that clearly and concisely details the end product desired. These requests are prioritized based on the severity of the problem and the resources available. .4 Help Desk. The Help Desk is available via telephone or e-mail to assist with routine problems or to provide emergency services. The Help Desk is designed to handle requests for online application programs, networks, desktops, telecommunications, and other technical failures. Requests for service are logged, assigned to the appropriate staff, and given a problem number for tracking purposes. 705. Request Prioritization and Approval. Requests for service will be reviewed to determine feasibility. If it is determined that a request is not feasible, the request will be returned to the department along with an explanation of the determination, with a copy sent to the County Administrative Office. Requests of a routine nature will be authorized and scheduled for completion. Requests of a mandated or emergency nature will be given priority consideration and scheduled by ITS in consultation with the County Administrative Office. Requests of a financial or accounting nature will be coordinated with the AuditorController-County Clerk. Requests that significantly impact personnel time and/or equipment commitments will be analyzed to develop a time and cost estimate to complete the request. The County Administrative Office, through the budget process, will determine if the request is sufficiently justified based on the cost/benefit analysis, mandate compliance, degree of necessity, and resource availability. If justified and resources are available, the County Administrative Office will recommend that funding be included in the department’s budget. Generally, Board of Supervisors’ approval will be through adoption of the County budget; however, the County Administrative Officer may require specific Board approval for major projects. 706. Project Scheduling. A project schedule of the approved/accepted projects will be prepared based on the projects’ priorities. The project schedule will be continuously monitored and updated. 707. Charges for Services. Subvented and specially-funded departments and non-County agencies will be charged for all programming (mainframe and web-based) and network services and operations. All departments and non-County agencies will be charged for special web-based and mainframe programming, specific network services and operations, telephones, and training. A list of chargeable services and estimated costs is available from ITS. 708. Software Licensing and Use Policy. The key provisions of this Board of Supervisors’ adopted policy are summarized below. The full policy is at Exhibit A. a. b. Only properly licensed and/or registered software will be loaded on County-owned computers. Software acquired at County expense shall not be copied onto any non-County computer unless specifically authorized by the license agreement. Departments shall establish a permanent file that documents the right to use each copy of software loaded on a County computer. Department shall audit their computers at least annually to ensure compliance with all licensing requirements.

c.

d.

709. Electronic Communications Usage Policy. This Board of Supervisors’ adopted policy governs the use of information technology and associated electronic information devises, including but not necessarily limited to e-mail, Internet use and online bulletin boards, telephones and voice mail, video conferencing, desktop and

Kern County Policy and Administrative Procedures Manual

7:3

laptop computers, cellular phones, personal digital assistants (PDAs), pagers, FAX, copy machines, electronic documents, diskettes and other storage media, television, and any other form of electronic communication. County employees, contractors, and vendors with access to County electronic communication devices are required to comply with this policy while using the County’s data and telecommunications infrastructure. Department heads are required to ensure that each employee receives a copy of the policy and signs an acknowledgement of receipt annually. The department is to keep a file of the signed policy documents. The full policy is at Exhibit B. (Rev. 03/05) 710. Remote Access to Computer Network Security Policy. This Board of Supervisors’ adopted policy applies to non-County entities and specifies the requirements for access and establishes the minimum security requirements for accessing the County’s computer network from remote locations. The full policy is at Exhibit C. 711. Technology Standards Policy. This Board of Supervisors’ adopted policy specifies the County’s hardware, operating systems and software, and development tool requirements. The full policy is at Exhibit D. (Rev. 03/06) 712. Information Security Policies. This Board of Supervisors’ adopted policy specifies the security measures to be taken to ensure the integrity of the County’s technology systems. The full policy is at Exhibit E. (Rev. 03/05)

Exhibit A SOFTWARE LICENSING AND USE POLICY BACKGROUND The Kern County Site License User Group has taken as a task the development of a countywide policy regarding the use of licensed software. The purpose of this policy shall be to ensure the County uses only legally obtained software and to establish a uniform means to document that the software in use was legally licensed. LICENSING ISSUES Most of the common software in use by the County is copyrighted, proprietary, intellectual property. When the County purchases a software license, what is actually being purchased is a license to use the software--no transfer of ownership occurs--and the licensee does not obtain any rights of ownership. Since the license is a license to use the software, then every computer which uses the software must be licensed to use it. Software companies zealously guard ownership of their copyrighted, proprietary, intellectual property. There have been numerous instances over the past few years of Courts awarding compensatory damages in the tens of thousands of dollars to bring the defendants into compliance on the number of copies of the software in use, and the Courts have also awarded punitive damages in the millions of dollars to set an example to other software users. The potential financial liability to the County of Kern is considerable should there be unlicensed software in use. Another consideration is that, for the most part, County departments exist to provide a service of one nature or another. If in the provision of that service, unlicensed software is used and provision of the service becomes dependent on that unlicensed software; then if a court injunction were to be issued to stop using that software, how would the service continue to be rendered? Software licenses take many different forms depending upon your projected use of the software and your hardware/network configuration. Some of the more common forms are: a) Site License - under a site license, usually a designated quantity of personal computers are allowed to use a copy of the software. Routinely under a site license, the County would be obligated to guarantee purchase each year of a specified quantity of licenses and maintain support on them as well. Under a site license, the County would be subject to a physical audit once or twice a year to determine how many copies of the software were in use. If not as many copies had been acquired as agreed to in the site license purchase agreement, the County would be obligated to purchase the difference. If more copies were in use than allowed for under the site license purchase agreement, the County would be obligated to purchase the difference and may be subject to punitive damages. Network License - a network license is usually one of two types, a fixed number of seats or a maximum number of concurrent users. The fixed number of seats option would usually be based on the projected number of personal computers on a network and would usually be for those specific personal computers. Personal computers on other networks, linking to that network, would also need a specific license to use that software. The concurrent users option is when no more than a specified number of users are licensed to use (be logged into) the software at the same time. This option though does not usually limit the computers to pre-specified ones or even ones on the same network. However, with the concurrent option, few software packages are designed to enforce this and thus often the number of users can easily exceed the number licensed to use the software concurrently. CPU License - a CPU license is generally for just one specific computer. This would be the type of license most often obtained when an individual purchases a single license. This type license

b)

c)

generally allows for the software to only be installed and executing on a single personal computer. A copy is usually allowed to be made for back-up purposes. A question commonly arises as to whether the software can be used on another computer, by the original purchaser, when the original computer is not currently using the software. Unless the license specifically grants this right, you must assume it is not allowed until such time as the original purchaser certifies in writing that the software has been expunged from the original computer. d) Runtime license - a Runtime license is usually acquired when there is a considerable number of users who are geographically disbursed, who are not on the same network, and who will use the software infrequently. While a runtime license usually does not limit the number of users, it does usually cost more than the license would for just a few users. This is a type of license that must be specifically negotiated.

Employees may often find sources for what they believe to be “free” software. However, without obtaining positive proof that usage of this “free” software is legal, the employees are placing themselves and the County at great financial liability. Some of the terms frequently used to describe this “free” software are: a) Public Domain - if software was developed by a tax payer supported government entity, that does not necessarily mean the software is in the public domain. Court rulings have held that such software is: 1) considered to be intellectual property owned by the specific government entity, 2) the government entity is responsible to its funding source for reasonable and proper use/disposition of the intellectual property just as it is with physical property, and 3) the release of intellectual property to other entities, public or private, must be based on sound business practices. Shareware - shareware is generally software the author has made available on the honor system for users to try. The author usually retains full copyright and ownership rights to the software. After a user tries it, that person is expected to provide a registration fee to the author. Freeware - freeware is considered to be free software for which there is no license or registration fee. The author usually retains full copyright and ownership rights to the software.

b)

c)

RECOMMENDED POLICY Departments and Employees of the County of Kern shall load onto a computer, owned or leased by the County of Kern, only that software which has been properly licensed and/or registered to operate on that specific computer or network, or software which has been certified as being in the Public Domain. Software acquired at County expense is the property of Kern County and shall not be copied onto any nonCounty computer or network unless the license specifically allows for it.

Departments shall take steps to establish a permanent file that documents their right to use each and every copy of a software program loaded onto a County computer within their department. Proper documentation for licensed software or registered shareware shall consist of an Invoice from the licensing vendor which indicates their willingness to sell the licenses for a particular fee, and a County Purchase Order which indicates the County’s acceptance and purchase under those terms. The Purchase Order document must indicate the type of license being acquired: site, network (concurrent or per seat), CPU, etc. As an added protection, each department shall audit their computers at least once a year to ensure compliance with all licensing requirements.

Exhibit B KERN COUNTY ELECTRONIC COMMUNICATIONS USAGE POLICY Effective July 23, 2002 I. Purpose A. To provide a policy that defines conditions for the authorized use of information technology and associated electronic information devices, including, but not necessarily limited to, the following: • • • • • • • • • • • • • • • • E-mail (electronic mail) Internet use Telephone and voice-mail Video conferencing Desktop computers Laptop computers Cellular phones Personal Digital Assistant (PDA) FAX Diskettes and other storage media Online bulletin boards Television Electronic documents Pagers Copy Machines Any other forms of electronic communication.

B. County employees, contractors, or vendors with access to Kern County electronic communications are required to abide by this policy while using the County’s data and telecommunications infrastructure. All references to County employees throughout this document shall also apply to all contractors, vendors and other non-County employees who have been granted access to County owned electronic communications. All County employees, contractors, or vendors using the County’s data and telecommunications infrastructure must sign the acknowledgment on the last page of this document. C. These are considered minimum guidelines. Department heads may develop stricter policies for their department. II. General Principles A. Electronic communications services are provided by Kern County to support open communications and research through the exchange of information and to provide the opportunity for collaborative government-related work. Kern County encourages the use of electronic communications by its agencies and employees. B. The County’s electronic communication systems are the property of Kern County government and are intended for use in carrying out government business. Kern County retains all personal property rights in any matter created, received or sent via the County’s electronic communications systems and such matter is not the property of the employees. The contents of any electronic communication may be disclosed to authorized individuals within the organization without the permission of the sender or recipient. Employees should have no expectation of privacy in any matter created, received or sent using the County’s electronic communications systems. Employees must not assume that communications or messages of any type are confidential because a private password is used. The use of passwords to gain access to the electronic communications systems is for the protection of the County, not employees. The appropriate County staff must have access to the entire network.

1

C. Electronic communications are “public records” under Government Code section 6253.9 (part of the Public Records Act) that provides essentially that even though records are in electronic format they are still subject to review and inspection by the public. D. Although access to information and information technology is essential to the missions of government agencies and their employees, use of electronic communications services is a revocable privilege. Conformance with acceptable use, as expressed in this policy statement, is required. All Kern County departments are expected to maintain and enforce this policy. III. Applicability A. All Kern County employees shall be covered by this policy. B. Contractors and other non-County employees may be granted access to County-provided electronic communications services at the discretion of the contracting authority. Acceptable use by contractors and other non-County employees working for Kern County is the responsibility of each department’s contract monitor. The contract monitor is expected to provide contractors who use Kern County electronic communications services with this information. IV. Policy A. Scope 1. This policy applies to all electronic and telephonic communications systems and all communications and information transmitted by, received from, or stored in these systems. These systems are the property of Kern County, and as such, are to be used primarily for job-related communications. While in the performance of work-related functions, while on the job, or while using publicly owned or publicly provided information processing resources, employees are expected to use those resources identified in Section I responsibly and professionally and shall make no intentional use of those resources for any unlawful purpose. Employees may make reasonable personal use of publicly owned or provided resources as long as: a. b. c. d. There is no or negligible cost to the County or public; There is no negative impact on employee performance of public duties; Employees shall reimburse the County if any costs are incurred; and No other provision in this Usage Policy is violated, including that which prohibits intentional use of resources for an unlawful purpose.

2.

3.

4.

All County rules, regulations, and guidelines, as they presently exist and as they may be amended in the future, on ethical and appropriate behavior of County employees and the appropriate use of County resources apply to the use of all electronic communications.

B. Enforcement Department heads or their designated representatives are responsible for disseminating and enforcing their employees’ compliance with the provisions of this policy and for investigating non-compliance. When an instance of non-compliance with this policy is discovered or suspected, the agency shall proceed in accordance with departmental and Kern County personnel policies. Employee’s privileges may be revoked when deemed necessary to maintain the operations and integrity of Kern County information systems. User

2

access, accounts, passwords, software and hardware may be withdrawn without notice if an employee is suspected of violating this Electronic Communications Usage Policy. Employee discipline may be appropriate in cases of non-compliance with this policy. Criminal or civil action against employees may be appropriate where laws or rights are violated. Employees need to know that any electronic media communication may be considered a public record subject to disclosure under California law. C. Acceptable Uses: 1. Communication and information exchange directly related to the mission or work tasks of the County department. Communication and exchange for professional development, to maintain currency of training or education, or to discuss issues related to the employee’s department activities. Applying for or administering grants or contracts for County research or programs. Advisory, standards, research, analysis, and professional society activities related to the County governmental work tasks and duties. Announcement of new laws, procedures, policies, rules, services, programs, information, or activities.

2.

3. 4.

5.

D. Prohibited Uses: Electronic media and communications shall not be used in any manner in violation of the law or County rules, policies or procedures. Electronic media and communications shall in no manner be used for any improper, illegal, offensive or harassing purpose. Activities prohibited by this policy include, but are not necessarily limited to the following: 1. Accessing or sending of any material or communication in violation of any federal, state, or local law, ordinance, or regulation. Accessing or sending of any material or communication which includes potentially offensive material (such as pornography, or sexual, racial or ethnic comments, jokes or slurs). Accessing or sending any material of a political nature is prohibited. Employees may not use County time and equipment to either support or oppose campaigns or candidates for elected offices. Messages of a religious nature or promoting or opposing religious beliefs will not be allowed. Using e-mail to send information that needs to be communicated individually to every County employee (several hundred employees do not have access to a computer on a regular basis), or if a quick response is needed. Many employees may not or cannot check their electronic mail on a frequent basis. When establishing or changing a policy, formal policies should be announced via a memo instead of e-mail. Misrepresentation under any circumstances of an employee’s true identity. Unauthorized access to any computer system. Any action intended to accomplish or assist in unauthorized access to computer systems.

2.

3.

4.

5. 6. 7.

3

8.

Unauthorized or improper downloading, accessing or sending of copyrighted information, documents or software. Personal Web Sites. County employees are prohibited from developing and running personal Web sites on County electronic communications equipment or on or through any County contracted ISP services.

9.

10. Use of County’s electronic communications equipment or network for private business purposes, including non-profit, charitable and for profit businesses. 11. Use of County electronic communications equipment or network for any purpose related to gambling. 12. Purchases through the County’s electronic communications networks. Employees shall not use the County’s access to purchase, obtain or offer products or information for County purchases without prior approval through normal Kern County Purchasing Procedures. 13. Sending of unauthorized broadcast communications or solicitations (such as a County wide email message). The department head or their designated representative must approve all County wide broadcast or solicitation messages in advance. 14. Any action that causes the County to incur a fee for which there has not been prior approval. 15. Use of a security code or password other than as authorized. 16. Disclosing a username and password to anyone for any purpose. 17. Sending confidential communications via e-mail. Common sense should be employed if a communication must be kept confidential. Information dealing with personnel issues may lose confidentiality due to its electronic transmission. It is recommended that confidential or other sensitive materials not be transmitted electronically. 18. Streaming Audio, Video and Data. Electronic communications networks are a shared resource. Although watching KGOV is acceptable, listening to the radio is not. Also prohibited are any stock market, weather, sport or other types of streaming data tickers. The department head or their designated representative must approve all uses of streaming audio, video and data in advance. 19. Employees may not use any non-County web site which requires the acceptance of any contractual terms and conditions as a condition to use that web site without prior department head and/or Counsel approval. E. Notice of County’s Rights: Employees need to be aware that deleting electronic communications – e.g., deleting an e-mail message from their mailbox or voicemail from their Audix– does not necessarily mean that they are permanently deleted from the system. In the case of e-mail and voice mail messages, these messages may be saved by the County and employees should have no expectation of privacy in any electronic media communications. Employees should further be advised that the County maintains a record of all telephone usage regarding all incoming/outgoing telephone calls including the date/time of the call, duration of the call, and the incoming and outgoing phone numbers. This usage information is subject to Public Disclosure and/or subpoena by the Courts. All electronic media communications are considered at all times to be County records. The County has the capability to access, monitor, review, and copy or disclose any electronic media communications; and

4

the County reserves the right to do so for any proper County purpose. The use of security measures (such as individual passwords) or deletion of electronic media communications (such as deletion of e-mail messages by employees) does not affect the County’s ability or right to access, review, copy or disclose such communications under appropriate circumstances. Employees’ use of electronic media is consent to such action by the County. This policy shall not be interpreted to limit the County’s access to electronic media communications under appropriate circumstances; and shall not in any way limit the County’s control or ownership of its electronic media systems. However, this policy is in no way intended to permit unauthorized access to electronic media communications. F. Software: 1. Employees shall use only legally acquired and licensed software distributed by the department and approved in accordance with Chapter 7 of the Administrative Procedures Manual. The Software Licensing and Use Policy key provisions are summarized below: a. Only properly licensed and/or registered software will be loaded on County-owned computers. Software acquired at County expense shall not be copied onto any non-County computer unless specifically authorized by the license agreement. Departments shall establish a permanent file that documents the right to use each copy of the software loaded on a County computer. Departments shall audit their computers at least annually to ensure compliance with all licensing requirements.

b.

c.

d.

Downloading software is prohibited without prior approval by the Department Head or their designated representative. 2. Loading any program or data from diskette, CD, tape or other portable media into a County owned computer or other device when such media has not been scanned by anti-virus software. Employees must get the approval of the Department Head or their designated representative prior to loading County owned software with home use options on home computers and must abide by this policy while using them.

3.

G. E-mail: 1. Categories of E-Mail E-mails generally fall within the following categories: a. Business E-mails – These are e-mails that contain information relating to the conduct of the County’s business and can be either transitory in nature or more permanent. 1). Transitory E-mails – These are e-mails that have limited or transitory value to the County, and are created primarily for the informal communication of information. Transitory e-mails would include, but would not be limited to, e-mails announcing the date and time of a meeting, casual and routine communications and announcements similar to telephone conversations, notes, interagency or intra-agency memoranda and preliminary drafts which are not directly related to any non-transitory communications indicated below.

5

2).

Non-Transitory E-mails – These are e-mails that are more formal in nature and have lasting value to the County. Examples: • E-mails of a policy or decision making nature • E-mails connected to specific case files • E-mails that are contract related • Other e-mails that are an essential part of a larger record, or other memorandum of significant public business. As such, these e-mail messages are similar to printed communications and should be written, transmitted and stored with the same care.

b. Non-Business E-mails – These are e-mails that do not contain information relating to the conduct of the County’s business. These e-mails include unofficial, personal messages. 2. Retention Requirements The category of the e-mail message determines the retention requirement. Category Retention Requirement Business – Transitory The e-mail message must be deleted once it has served its administrative purpose. Business – Non-Transitory Within six months of receiving or sending the e-mail, the e-mail message must be stored in another electronic file (e.g., an MS Word file) or a hard copy must be made and stored as would be done with any other hard-copy communication. This stored copy will then become the official “public record” and is then subject to the destruction requirements in Administrative Bulletin No. 11. The e-mail message must then be deleted. Non-Business The e-mail message should be deleted immediately. 3. Additional E-mail Guidelines a. The responsibility for compliance with this policy lies with each County employee. It is the responsibility of departmental management to develop internal procedures consistent with this policy to insure compliance. b. Employees need to know that even when they delete an e-mail or voice mail from their mailbox (and empty it from their GroupWise Trash or equivalent), it may continue to exist in backup or archival storage devices or in the mailboxes of other recipients or addressees. c. If an employee sets up a vacation rule that generates an automatic reply to incoming e- mails: The reply option should always be “reply to sender”, not “reply to all”. The “reply to all” option can cause problems if the original e-mail was sent to a large group of people. The rule should be set up to reply only to messages where the From field does not contain an “@” symbol. (so that the rule will NOT reply to messages originating outside of the County.) The reason for this setting is that if the original e-mail was sent from an automated system, the vacation rule reply will sometimes trigger it to resend the original message each time it gets a reply, causing a loop that can flood the mailbox with messages and overburden the County’s e-mail infrastructure. d. Employees shall only access e-mail accounts through systems set up by the County, including GroupWise and Exchange (Courts). Employees shall not access hotmail.com and similar e-mail accounts via an Internet connection over the Wide Area Network (WAN). It has been detected that these types of e-mail accounts bypass the County's security network and make the County's WAN vulnerable to viruses.

6

H. Additional Guidelines: 1. Logoff (Exiting). Always make a reasonable attempt to complete the logoff or other termination procedure when finished using any system such as Internet, GroupWise, etc. 2. Large File Transfers and Network Capacity. Electronic communications networks are a shared resource. While routine electronic mail and file transfer activities won’t significantly affect other users, large file transfers will impact the service levels of other users. Employees contemplating file transfers over 10 megabytes per transfer should schedule these activities before or after regular business hours. 3. Certain electronic media (especially e-mail) may not be appropriate to transmit sensitive materials, which may be more appropriately communicated by written document or personal conversation. 4. Employees should always remember that persons other than the sender and the recipient may read electronic media communications at a later date. Accordingly, electronic media communications (such as e-mail messages) should always be treated as written memos, which may remain on file in various locations. I. Requests for Electronic Data: Requests to produce copies of or provide access to non-routine information from electronic communication systems shall immediately be forwarded to the appropriate Department Head. Upon review the Department Head can determine if County Counsel should be contacted. V. Written Acknowledgment: Department Heads shall have all employees acknowledge in writing that they have received and read this policy. Such written acknowledgment shall be retained in department files. (Nevertheless, the failure to provide such written acknowledgment shall not in any way limit the County’s ability to enforce this policy.)

7

Acknowledgment of Kern County Electronic Communications Usage Policy I have received a copy of and am fully aware of Kern County’s Electronic Communications Usage Policy, and I agree to abide by the terms of this policy. I understand that I should have no expectation of privacy in any matter created, received or sent using the County’s electronic communications systems. I understand that any violation of this policy may result in disciplinary actions being taken against me, and may constitute a criminal offense. Should I commit any violation, my access privileges may be revoked and/or appropriate legal/disciplinary action may be taken. I also agree to remain apprised of future revisions to this policy and to abide by the terms of all such revisions. This signed acknowledgment of the employee receiving and reading this policy will be placed in the departmental personnel folder of employee or with the executed contract for the contractor or vendor. Employee Name (please print): ____________________________________ Employee Signature: ____________________________________________ Department: ___________________________________________________ Date: _______________________________________________________
Policy Effective Date: July 23, 2002

8

KERN COUNTY REMOTE ACCESS NETWORK SECURITY POLICY Any individual or agency, hereinafter referred to as “Client”, wishing to connect to the Kern County Wide-Area Network (KCWAN) must comply with the following list of requirements. The County reserves the right to perform periodic on-site audits of a facility to confirm that these requirements are being met. If the County determines that a Client is not meeting these requirements, at the sole discretion of County, Client will be subject to the sanctions and remedies under the law as specified in the governing Agreement, to which this is an exhibit. Violations pursuant to California Penal Code Section 502 are subject to prosecution.

Requirements For All Connection Types I. Anti-virus Software: Every workstation or server connecting to the KCWAN must have ICSA Labs approved anti-virus software installed on it. A reasonable effort must be made to have the most recent virus signature files on the workstations and servers at all times. The anti-virus software should be configured to scan all files going to or coming from the KCWAN. II. Physical Security All workstations, printers, network equipment, and servers connecting to the KCWAN must be physically secure. To prevent unauthorized access to the KCWAN, all users must log out of the KCWAN as soon as they have completed using the KCWAN. The County reserves the right to terminate connections after 10 minutes of idle time. III. Password Security For all workstations connected to the KCWAN, passwords or other methods of authentication are to be used. Passwords must be non-trivial, at least 7 characters long and a combination of numbers and letters Passwords must be changed every 30 days Passwords may not be shared Additionally, the Client will conform to the password standards of the County regarding applicationlevel and network passwords. IV. Data Security Client shall have in place security procedures to ensure that all transmissions of data are authorized and to protect KCWAN data from improper access. When information must travel across lines of communication where both ends are not under the control of KCWAN, Client agrees to use, at a minimum, strong authentication and encryption to protect the data, and shall take reasonable steps to protect the data including, but not limited to, the following: 1. Client will use security/access software and/or procedures sufficient to reasonably ensure that all transmissions of data are authorized and/or to protect the data from unauthorized access. Client PCs and/or data terminals that are viewable from public areas must have screen savers or screen blanking utilities installed and active. The “Wait” time should be configured for six minutes or less.

2.

3.

Client will safeguard the data from tampering and unauthorized disclosures. This protection must extend beyond the initial information obtained from KCWAN to any databases or collections of data containing information derived from the data. This provision shall be in force even if data are made anonymous by removing any identifying information. Client shall maintain the confidentiality of passwords and other codes required for accessing this information. Client may not sell, release, or otherwise furnish such data or information to any third parties without the written approval of County.

4.

Modes and Methods of Communications The following applies to all modes and methods of communication including, but not limited to, verbal, electronic, written, automated, computer, facsimile, telephone, voice mail, electronic mail, and any and all other forms of communication. The content of the information, not the method of communicating, determines the need for privacy and confidentiality. Several universal guidelines apply to all forms of communication of private and confidential information: The information will be provided only to those with a need to know in order to perform their job. The sender or originator of the information must ensure that only the intended recipient(s) will have access to the information. Particular care must be taken when sending confidential information electronically, such as via computers, fax machines, or voice mail. Storage of confidential information must be secure, protected from unauthorized access, and protected from damage. Methods of receiving confidential information must be secured and located so they are not accessible to the general public. Examples include in-baskets, fax machines, electronic mail and computer terminals. Private and Confidential information must be clearly identified as such and protected by passwords, special envelopes, fax cover pages, or other similar methods.

-

-

-

Requirements For Specific Connection Types 1. Dial-up connections: Clients requiring dial-up access to a specific resource will be configured using one of the following connection types: Modem to remote access server (note: this method will also be used to access AS/400's that support IP) Modem-to-modem and modem-to-router connections will be permitted only for troubleshooting and only on a temporary basis. For remote administration purposes, the Client must use County approved remote control software configured per County specifications. 2. Internet-based Connections: If the Client is an agency with a network, the Client’s facility must have an ICSA- certified firewall, configured with an IPSEC standard secure tunnel. This applies to all of the following types of connections:

-

Network-to-network (subnet to subnet) Device (e.g., PC, server, printer) to network Device to device Network to device

If the Client is an individual or agency without a network, each workstation that will be accessing KCWAN must have: a valid account with a reputable ISP (Internet Service Provider) VPN (Virtual Private Network) software installed and configured per County specifications. If the Client will be logging into a network, the workstation must have necessary client software installed and configured per County specifications. 3. LAN-to-LAN connections: Unless otherwise negotiated, the Client will provide all equipment that the County deems necessary for the connection, including host equipment (i.e., equipment located within a County department). Equipment to be used will include a router (Nortel or Cisco brand) to be located in the County, and any other necessary connection peripherals and accessories, which may include matching CSU’s/DSU’s for each end of the connection, a communication line (e.g., T1, fiber), a transceiver or media converter, and any related software. The County will configure and control host-end equipment per County standards; Routers on both ends will be configured using a static addressing scheme. Any Client whose LAN/WAN is connected to the Internet must have a firewall in place between the Client’s LAN/WAN and the Internet.

Kern County Technology Standards

TABLE OF CONTENTS
INTRODUCTION A. B. C. D. I Scope .............................................................................................................. 1 Applicability ..................................................................................................... 1 Recognized Exceptions................................................................................... 2 Revision History .............................................................................................. 3

HARDWARE A. Network Equipment ......................................................................................... 5 1. Routers .............................................................................................. 6 2. Switches ............................................................................................ 8 3. Firewalls............................................................................................. 9 4. CSUs/DSUs ....................................................................................... 9 5. Cable and Cable Installations .......................................................... 10 B. Servers ......................................................................................................... 10 1. Enterprise Servers ........................................................................... 10 2. Production Servers (Intel / AMD based) .......................................... 11 C. Desktop Computers ...................................................................................... 12 D. Laptops & Tablet PCs ................................................................................... 13

II

OPERATING SYSTEMS AND SOFTWARE ...................................................... 14 A. B. C. D. E. F. Operating Systems........................................................................................ 14 Office Products Software............................................................................... 15 E-Mail Software............................................................................................. 16 Browser Software.......................................................................................... 17 Anti-virus Software ........................................................................................ 17 PDF Software................................................................................................ 18

III

DEVELOPMENT TOOLS................................................................................... 19 A. B. C. D. E. F. G. Web Server and Application Server Operating System and Software........... 19 Library Management Software ...................................................................... 19 Databases ..................................................................................................... 20 Data-mining/Reporting Tools......................................................................... 20 Integrated Development Environment........................................................... 20 Programming Languages .............................................................................. 21 Web Page Development Tools...................................................................... 22

APPENDIX A – Product Support Lifecycles.............................................................. 24 APPENDIX B – Glossary ............................................................................................. 26

Introduction
A. Scope Technology Standards listed in this document are for technical purchases that impact the County as a whole. These fall into four categories: 1. 2. Items that impact the WAN (e.g., standards for routers and switches) Items that facilitate effective communication between departments (e.g., standards for an office suite) Items that require County ITS’ support where departments either do not have their own technical personnel or they are soliciting additional support (e.g., server hardware standards, development tool standards) Items that safeguard the overall security of the County (e.g., standards for anti-virus software)

3.

4.

For technical purchases not included in these Technology Standards – e.g., scanners – the department is free to purchase the brand/product they wish as long as they adhere to all County licensing, purchasing, and security policies. Note: When purchasing hardware, if a department wishes to purchase a specific brand of switch or firewall, they may specify that brand in the purchase requisition as long as that brand meets the standards identified for the respective type of hardware. B. Applicability 1. Hardware Standards apply only to equipment purchased or leased after the listed revision date for that type of hardware or February 2002, whichever is later. Existing equipment purchased before the indicated date may remain in service until support for that equipment expires. 2. Operating/Systems software a. For everything but anti-virus software, standards apply only to software purchased after the listed revision date for that type of operating system/software or February 2002, whichever is later. Workstations or servers running operating systems or software that was purchased before the indicated date must be upgraded to the listed standard before extended support for that software/version expires. See Appendix A for support expiration dates.

1

b.

For anti-virus software, standards apply to all County servers and workstations, including workstations that use VPN to access the County’s network

3.

Development Tools These items are recommendations rather than standards, but the version used of a given tool should be one with vendor support.

C.

Recognized exceptions For the hardware and operating systems/software categories, the following recognized exceptions apply: 1. Federal or State Mandates: If department hardware/software interfaces with a state or federal agency’s system, and the state or federal agency either furnishes the equipment/software or specifies what equipment/software must be used in order to interface, that equipment/software may be purchased. 2. Vendor Requirement: A department that is purchasing items with specific hardware/software requirements as a prerequisite for vendor support may purchase that specific hardware/software.

3.

Application Requirement: For the operating systems/software category, if a department is running an application/component that requires an older or alternative operating system or software application/component, that operating system/application may be run as long as extended support is available for that operating system/software. The department will be required to replace the application before the extended support expires.

If a department wishes to go against the standard in a situation where a recognized exception does not apply: • • They are expected to get Board approval for their decision. Information Technology Services Division (ITS) cannot guarantee support for the purchase.

Note: For the development tools category, recognized exceptions are not applicable since the listed tools are recommendations rather than standards.

2

D.

Revision History
This document will be reviewed and updated early every calendar year, so that the latest updates are approved before the budget cycle begins. All non-cosmetic changes made to this document will be summarized in this introduction. Revision(s) 3/06 Added an introduction to the document and moved all of the recognized exceptions to this introduction instead of having them interspersed throughout the document. The introduction also defines the document’s scope and the applicability of these standards. Revisions, Hardware section: • Clarified procedure for ordering a specific brand of network hardware • Renamed LAN Equipment section to Network Equipment • Split routers and switches into separate categories and adjusted the maintenance requirements • Added Cisco to the list of approved manufacturers for routers • For switches, removed the brand requirement and instead listed capabilities • Added sections for firewalls and CSU/DSUs • Removed ATM from cable topologies • Renamed midrange servers to enterprise servers, and clarified that this category refers to non-Intel/AMD-based servers • Renamed LAN file servers section to Production servers • Deleted the network card requirement for servers, as it was redundant • Deleted MHz requirement for servers, as it was not needed (new servers will always have the minimum MHz required, the areas that vary are RAM and hard drive size), increased processor/RAM requirements, and added a hard drive capacity requirement • For servers and desktops: o Replaced Tier 1 Company references with Preferred Company, and adjusted the list of Preferred Companies o Changed the requirements for departments without technical support to follow ITS specifications rather than specifying a single brand of hardware. o Streamlined the justification o Noted that Celeron and Sempron are not acceptable processor brands • Adjusted the desktop warranty and replacement period sections • Added a new section for laptops/tablet PCs

3

Revisions, Operating Systems/Software section: • Added Linux to the list of acceptable server and desktop operating systems • Added Star Office and Open Office to the list of acceptable office products • Split the e-mail software section into two components, e-mail server software and e-mail client software and updated justification • Changed and expanded the browser recommendation, replacing the Netscape Navigator recommendation with Mozilla Firefox • Expanded the anti-virus software recommendation to include Linux servers/workstations and clarify requirements • Added a new section for PDF tools Revisions, Development Tools section • Added a note about adhering to the County’s Web design guidelines • Expanded list of Web server/Application server OS/software • Expanded list of library management software • Expanded list of databases • Added section for data-mining/reporting tools • Split interpreted programming language and development tools suite into separate sections and renamed the latter to Integrated Development Environment • Expanded list of interpreted languages • Expanded list of compiled languages • Added section for tag-based/markup-based languages • Adjusted Web page development tools to reflect tools currently being used in the County Revisions, Appendix A • Changed focus of this appendix – instead of an implementation schedule, made it a list of product support lifecycle end dates. With this change, instead of referencing specific dates within the body of the standards, we were able to have a generic statement that any software used in the County must have vendor support available • Added a note that this appendix could be updated without Board approval, since these dates can change frequently Revisions, Appendix B: Added definitions for the new document sections and updated/streamlined other definitions where applicable

4

I.

Hardware
Note: If the department wishes to purchase a specific brand of switch or firewall, they may specify that brand in the purchase requisition as long as that brand meets the standards identified for the respective type of hardware. A. Network Equipment 1. Routers
Revised 3/2006

Note : For the purposes of this document, a router is defined as a device that provides connectivity between subnets and is connected in any way to the County WAN. Devices or software that provide routing capabilities as a secondary function – e.g., firewalls – are not considered to be routers in this context. a. Approved Manufacturers Cisco and Nortel brands are both acceptable. b. Justification Previously the standard was Nortel only, but this caused issues in some situations where the Nortel products did not offer the same features as Cisco products. Allowing both brands will allow departments the flexibility of choosing the product that best meets their needs, as well as being cost-effective in situations where one brand may be substantially less expensive than the other brand. ITS staff was recently trained in configuring/troubleshooting Cisco products, so there is no longer a problem with their supporting departments that are using Cisco products. c. Warranty and Maintenance All routers must be leased or purchased with either: 1 2 a premium maintenance agreement for the life of the equipment depot maintenance agreement and/or spare equipment for replacement

d.

Replacement Routers must be replaced when vendor support is no longer available, or is cost prohibitive.

5

2.

Switches

Revised 3/2006

Notes : • For the purposes of this document, a switch is defined as a device that provides non-routed connectivity between devices on the same subnet. • For the purposes of this document, a small office is defined as an office that has 12 or fewer total devices/connections. a. Manufacturers Large office : Enterprise level switch (any brand) that has the following capabilities : • QOS • SNMP manageability • Console ports • Spanning tree • Remote administration capability (e.g., Tel-net) • Port mirroring • VLAN-capable • Maintenance contracts available Small office : Any brand of switch. Hubs are not acceptable substitutes for switches. b. Justification Because switches do not impact the County WAN in the same way that routers do, there is more flexibility as to brand. Additionally, there is not much training required to administer different brands of switches. However, switches for large offices still need to have the enterprise-level capabilities listed above in order to effectively handle the volume of traffic. Warranty and Maintenance All switches must be leased or purchased with either: 1. 2. a premium maintenance agreement for the life of the equipment depot maintenance agreement and/or spare equipment for replacement

c.

d.

Replacement Switches must be replaced when vendor support is no longer available, or is cost prohibitive.

6

3.

Firewalls

Added 3/2006

For the purposes of this document, firewalls are defined as hardware or software devices that limit access between networks, but do not include personal firewalls on individual PCs. There are no manufacturer requirements for firewalls, but firewalls installed within the County WAN must be ICSA Labs certified. Additionally, to facilitate troubleshooting connectivity issues departments must notify ITS when firewalls are installed. 4. CSUs/DSUs
Added 3/2006

For the purposes of this document, CSUs/DSUs (Channel Service Unit/Data Service Unit) are defined as devices that connect LANs to WANs, generally via a T-1/digital circuit interface. a. Approved Manufacturers • • • • • AdTran Cisco Kentrox Nortel Paradyne

Note : The County’s Communications Dept. may require a specific brand of CSU/DSU when connecting to the County’s microwave network. b. Justification Because CSUs/DSUs do not impact the County WAN in the same way that routers do, there is more flexibility as to brand. c. Warranty and Maintenance All CSU/DSUs must be leased or purchased with either: 1. 2. a premium maintenance agreement for the life of the equipment depot maintenance agreement and/or spare equipment for replacement

d.

Replacement CSUs/DSUs must be replaced when vendor support is no longer available, or is cost prohibitive.

7

5.

Cable and Cable Installations a. Topology

Revised 3/2006

New or upgraded LAN installations must be Fast Ethernet at a minimum. Gigabit Ethernet is recommended. b. Copper Cables All new copper cable installations must be Gigabit rated cable. c. Fiber Optics All new fiber optic cable installations must be Multimode cable for LAN installations, except that Single Mode should be installed for long distance data and video transmissions. d. Installation Standards All contracts for cable installation, regardless of cable type, must include a requirement that the installation meet or exceed the applicable IEEE and/or CCITT industry standards.

B.

Servers 1.

Revised 3/2006

Enterprise Servers (non Intel / AMD based - e.g., AS/400 servers) a. Manufacturers The choice of enterprise server is generally dictated by the application. For that reason no specific manufacturer is recommended. b. Warranty and Maintenance All enterprise servers must be purchased or leased with a premium maintenance agreement for the service life of the server. c. Replacement Period All enterprise servers must be replaced before vendor premium support is no longer available or is cost prohibitive.

8

2.

Production Servers (Intel / AMD based){tc \l3 "2. a. Approved Manufacturers •

LAN File Servers}

Departments with In-House Technical Support Staff These departments must purchase or lease a production server manufactured by a preferred company unless a recognized exception applies. As of this writing the preferred companies are Dell, Gateway, HP, IBM and Stratus.

•

Departments without In-House Technical Support Staff These departments must follow ITS specifications.

b. Justification Standardizing on a preferred list of manufacturers increases the efficiency of technical staff and ensures reliable and adequate technical support. The server class requirement ensures that the hardware is designed for heavy network and 24x7 use. c. Minimum Specifications 1 Server Class Machines Required Regardless of the choice of manufacturer, only a server class machine may be purchased for use as a production server, unless a recognized exception exists. 2 Processor, System Memory, and Hard Drive Production servers, whether purchased or leased, must have the following as a minimum: Processor: Intel or AMD (No Celeron or Sempron) RAM: 1 GB Hard drive: 36 GB d. Warranty and Maintenance All mission-critical production servers must be purchased or leased with a premium maintenance agreement for the service life of the server. e. Replacement Period All mission-critical production servers must be replaced before vendor premium support is no longer available or is cost prohibitive. All other production servers must be replaced after no more than 5 years.

9

C.

3/2006{tc

Desktop Computers \l2 "C. Desktop Computers} Approved Manufacturers a. Departments with In-House Technical Support Staff

Revised

1.

These departments must purchase or lease desktop computers manufactured by a preferred company unless a recognized exception applies. As of this writing the preferred companies are Dell, Gateway, HP and IBM. b. Departments without In-House Technical Support Staff These departments must follow ITS specifications. 2. Justification Standardizing on a preferred list of manufacturers increases the efficiency of technical staff and ensures reliable and adequate technical support. The business class requirement ensures that the hardware is designed for network and 8 hour/day use. 3. Minimum Specifications a. Processor and System Memory Desktop computers, whether purchased or leased, must have the following as a minimum: Processor: Intel or AMD (No Celeron or Sempron) RAM: 512 MB b. Business Class Requirement Desktop computers must be business class machines specifically manufactured for installation in a network and must be certified by the manufacturer for the appropriate network client software. 4. Warranty and Maintenance Desktop computers must be leased or purchased with a minimum of three years warranty.

5.

Replacement Period Desktop computers must be replaced after no more than five years of service.

10

D. Laptops & Tablet PCs \l2 "C. Desktop Computers}

Added 3/2006{tc

1.

Approved Manufacturers a. Departments with In-House Technical Support Staff These departments must purchase or lease Laptops or Tablet PCs manufactured by a preferred company unless a recognized exception applies. As of this writing the preferred companies are Dell, Fujitsu, Gateway, HP, IBM, Panasonic, Sony and Toshiba. b. Departments without In-House Technical Support Staff These departments must follow ITS specifications.

2.

Justification Standardizing on a preferred list of manufacturers increases the efficiency of technical staff and ensures reliable and adequate technical support. The business class requirement ensures that the hardware is designed for network and 8 hour/day use.

3.

Minimum Specifications a. Processor and System Memory Because processing requirements vary greatly depending on how the laptop is being deployed, no standards are specified in this area. b. Business Class Requirement Laptop and tablet PCs must be business class machines specifically manufactured for installation in a network and must be certified by the manufacturer for the appropriate network client software.

4.

Warranty and Maintenance Laptop or Tablet PCs must be leased or purchased with a minimum of three years warranty.

5.

Replacement Period Laptop or Tablet PCs must be replaced after no more than five years of service.

11

II.

Operating Systems and Software
Note: the County currently has Master License Agreements with Microsoft, Novell, SuSe Linux, and Network Associates (the producers of McAfee) which is part of the justification for recommending these brands. For the most current list of license agreements, see the Procurement section on CountyNet. A. Operating Systems 1. Standard Type Server Operating System Product Microsoft Windows Server Novell NetWare Linux Version/Edition 2003 or higher, any edition 6.5 or higher SuSe Linux Enterprise Server version 9.0 or higher; RedHat Enterprise Linux AS/ES version 3 or higher XP Professional Edition or higher SuSe Linux Desktop version 9.0 or higher; Fedora Core version 3 or higher; RedHat Enterprise Workstation version 3 or higher
Revised 3/2006

PC Operating System

Windows Linux

2. Justification a. Server Operating Systems Microsoft Windows Server, Novell NetWare, and Linux all have a place in the County’s organization. • Microsoft is the only available platform for many specialized applications, and is also a standard server operating system. • NetWare is used by all departments to run GroupWise and is also used by some departments to run Novell ZenWorks and other Netware-specific applications, and is also a stable, secure, and robust server operating system. • Linux provides a very secure environment for Web servers and other applications, requires less powerful hardware, and has lower maintenance/upgrade costs than Windows. • Suse Linux is supported by Novell.

12

b. PC Operating Systems (including desktops and laptops) Microsoft Windows and Linux both have a place in the County’s organization. • Microsoft Windows is the only desktop operating system that many applications (including browser-based applications that require Internet Explorer) will run on. • Linux is a viable alternative for those workstations that only require software that can run on Linux (e.g., Star Office, GroupWise, Firefox browser, etc.) Advantages include less susceptibility to viruses and lower purchasing costs than Windows. The listed versions/editions (e.g., SuSe) also offer growing technical support. Note: It is up to each department to determine if they wish to use/support Linux technology and to ensure that applications and peripherals operate correctly.

B. Office Products Software 1. Standard Any of the following:

Revised 3/2006{tc

\l2 "B.

Office P

a. Microsoft Office Suite 2000 or higher. The specific edition will depend on the individual department’s needs – options include Standard, Professional, and Developer’s Edition. b. Sun’s Star Office version 7.0 or higher c. Open Office version 1.1.2 or higher Documents that are being shared or exchanged between County departments or with other agencies must be saved in an Office format (.DOC, .XLS, or .PPT) that can be viewed/edited in Office 2000 or higher. 2. Justification a. General: Word processors, spreadsheets and desktop database programs should no longer be viewed as individual products. They should instead be viewed as components of an office suite, which integrates these functions into a single desktop business application.

13

b. Justification for Microsoft Office: Office has become the industry standard by default, and most of the non-County agencies with which County employees regularly exchange files/data are using the Microsoft suite. Additionally, Microsoft Office is often included at a low cost when leasing or purchasing new computers c. Justification for Star Office and Open Office: The primary goal of setting a single standard for office software was to make it easy for County employees to exchange files/data with each other and with non-County agencies. These two products allow that kind of exchange (both of them can save/open documents in Office formats such as .DOC and .XLS) and are less expensive to purchase/license than Microsoft Office (e.g., Open Office is free to download and install on unlimited PCs). The Sheriff has already successfully deployed Open Office in one of its substations.

C. E-Mail Software 1. E-mail Server Software a. Standard Product Novell GroupWise

Revised 3/2006{tc

\l2 "C.

E-Mail S

Version 6.5 or higher

b. Justification: GroupWise is being used by all County departments and overall is a robust and stable product, as well as being less susceptible to e-mail viruses than Microsoft Exchange. 2. E-mail Client Software

a. Standard Product Novell GroupWise Version 6.5 or higher

b. Justification: GroupWise is being used by all County departments and overall is a robust and stable product, as well as being less susceptible to e-mail viruses than Microsoft Outlook. The version 7 desktop client also includes many features that were formerly only available with Microsoft Outlook.

14

D. Browser Software

Revised 3/2006

Notes: • This recommendation applies to the browser used to access Countydeveloped internal Web applications as well as specialized public Web applications (e.g., ERODs). • County-developed Web applications developed before March 2006 may still require Internet Explorer. 1. Recommendation Product Internet Explorer Mozilla Firefox 2. Justification a. Internet Explorer: Is the industry standard and supports nearly all of the common techniques used in developing pages and applications. b. Firefox: May be run on both Windows and Linux. Version 6.0 or higher 1.07 or higher

E. Anti-virus Software 1. Standard Product Network Associates (formerly McAfee) VirusScan for Windows servers/workstations or LinuxShield for Linux servers/workstations 2. Justification

Revised 3/2006

Version Most recent available version (Virus Scan Enterprise 8.0.0) with latest available .DAT files; Windows servers must have the Netshield product loaded

In order for the County to be secure against viruses, every server and workstation needs to have anti-virus software installed and kept up-todate. The Network Associates products are an industry standard.

15

F. PDF software 1. PDF creation software a. Recommendation

Added 3/2006

Because there are now several alternatives to Adobe Acrobat for creating PDFs, no single product is recommended. However, the chosen product should be able to: • Create PDF files that can be read with Acrobat Reader 5.0 or higher Create PDF files that load quickly

•

If using Adobe Acrobat to create PDFs, version 5.0 or higher should be used. b. Justification The above recommendation gives departments the option of using alternative (and usually less expensive) software to create PDFs while ensuring that the documents created can be opened using standard versions of Acrobat.

2. PDF viewing software a. Recommendation Product Adobe Acrobat Reader Version 6.0 or higher with latest security patches applied

b. Justification Adobe Acrobat is the industry standard for viewing PDF files, and is a free download. Version 6.0 is recommended because earlier versions may have difficulty in viewing files created in later versions of Acrobat.

16

III.

Development Tools
Note: All Web development tools utilized for developing Web pages and Web applications must be consistent with and capable of meeting those goals identified in the "Recommended Guidelines/Minimum Standards for Kern County Web Pages" which may be modified from time to time by an affirmative vote of the Kern Information Technology User Group (KITUG). Introduction
Revised 3/2006

Notes: 1. Because a department's choice of development tools does not impact the County as a whole in the same way that their hardware and software platforms do, the following recommendations are guidelines rather than standards. However, departments choosing tools that are not on the following list should be aware that: • Information Technology Services (ITS) cannot guarantee support for these tools (e.g., ColdFusion, Macromedia’s UltraDev) or for applications or Web pages built with those tools • Tools for developing Web pages that require server-side components other than ASP (e.g., FrontPage extensions) may not be supported on the County’s primary public Web server (www.co.kern.ca.us) 2. In cases where ITS is not using an item listed below, the department(s) currently using the tool will be listed as a potential resource for other departments considering the tool. A. Web Server and Application Server Operating System and Software Revised 3/2006 Recommendations • Microsoft Internet Information Server (IIS) version 5.0 or higher, running on Windows 2000 or higher • IBM’s WebSphere Studio family (any current version) running in an AS/400 environment); used by Child Support Services • Apache version 2.0 or higher; used by DHS • Tomcat version 5.5.X or higher; used by DHS . Note: The AS/400 is included as a Web server environment because it offers the ability to use existing hardware resources rather than maintaining a separate Web Server, and the ability to leverage existing skills of AS/400 programmers and developers.

17

B.

Library Management Software

Revised 3/2006

Recommendations • Microsoft SourceSafe version 6.0 or higher • SubVersion version 1.2.3 or higher (and client TortoiseSVN 1.2.5 or higher); used by DHS • CVS version 1.11.21 or higher; industry standard but not currently being used by County C. Databases 1. Environment Recommendation For Web-based applications, the database should be located on a server separate from the Web server, unless the database activity is very limited, or unless a mid-range server like an AS/400 is being used as the Web server. 2. Product Recommendations Category Multi-user applications including existing or new client/server, Web-based or single-component database applications Existing or new single-user applications AS/400 applications Recommendation • • • • • • SQL Server 2000 or higher Oracle 8.0 or higher SyBase Informix MySQL PostGres currently being evaluated by ITS
Revised 3/2006

MS Access 2000 or higher

DB2 used by Child Support Services

D.

Data-mining/Reporting Tools

Added 3/2006

Product Recommendations: • Crystal Reports version 9 or higher, for displaying database information in a specific format (may include charts, etc) • Monarch Pro version 7 or higher, for extracting information from a formatted report into a database or similar file

18

E.

Integrated Development Environment

Revised 3/2006

Note: For the purposes of this document, an Integrated Development Environment is a programming environment that has been packaged as an application program, typically consisting of a code editor, a compiler, a debugger, and a graphical user interface (GUI) builder. Product Recommendations: • Visual Studio (any edition) version 2000 or higher used by Sheriff and others • Jbuilder version 2005 or higher used by DHS • Eclipse version 3.1 or higher used by DHS • WebSphere Studio Family, any supported version used by Child Support Services • NetBeans version 4.2 or higher used by DHS

F.

Programming Languages Interpreted Programming Language / Development Tools Suite Rev. 3/2006 Recommendations • ASP (Active Server Pages) version 1.1 or higher • JSP (Java Server Pages) version 2.0 or higher Compiled Programming Language
Revised 3/2006

Recommendations • .NET framework, including ASP.NET, C#, and VB.NET • Visual Basic • Java • C++ • C# Scripting Language
Revised 3/2006

Recommendations • JavaScript for client-side scripting • JavaScript or VBScript (whichever is more convenient in a given situation) for server-side scripting; is browser-independent Tag-based/markup-based language
Added 3/2006

Note: for the purposes of this document, Cascading Style Sheets (CSS) will be included in this category. Category HTML XML CSS Standard HTML 4.01 or higher 1.0 or higher CSS2 or higher; should be used rather than HTML for all presentation elements of a page/app (e.g., font size/face)

19

G.

Web Page Development Tools 1. HTML Editors
Revised 3/2006

Because the choice of HTML editor is a personal preference, more than one HTML editor is recommended. An acceptable HTML editor should create non-browser-specific code (i.e., resulting HTML looks correct in both Mozillabased browsers and Internet Explorer). Other recommended features are: • • • built-in code validation preview option color-coding or otherwise tagging various code components

Note: Software products that are not primarily HTML editors (e.g., MS Word, WordPerfect) should not be used to create HTML pages. Recommended Product 1st Page 2000 DreamWeaver FrontPage 2000 or higher Features/Comments Free text-based editor with many of the same features as HomeSite Includes FTP/site management tools. FrontPage is part of the Microsoft Office suite which is recommended in the software portion of these standards. Earlier versions of FrontPage are not recommended because 1) The overall office suite recommendation is Office 2000. 2) Earlier versions of FrontPage had some issues that have been resolved with FrontPage 2000. These issues include a tendency to insert HTML code that displayed incorrectly in non-Microsoft browsers (with FrontPage 2000, the user can identify what browser platforms the page will be viewed in) and a tendency to create more lines of HTML code than other editors. Works seamlessly with PhotoShop and other Adobe tools. Extensive search/replace and validation functions Text-based editor with preview option Text-based editor with compare feature, global search/replace, etc.

GoLive HomeSite Hot Dog TextPad

20

2. Image Creation and Editing Tools

Revised 3/2006

As with HTML Editors, the choice of these tools is a matter of personal preference; therefore, more than one product is recommended. Recommended Product Department(s) Using Adobe PhotoShop, Illustrator ITS Macromedia Fireworks ITS Corel Graphics Suite version 10 or higher DHS (includes PhotoPaint and CorelDraw) Ulead PhotoImpact RMA, Planning

21

Appendix A – Product Support Lifecycles

Revised 3/2006

Note: Because support end dates change frequently, updates to this appendix may be made without requiring Board approval. General support definitions: • • Mainstream/full support includes: Incident support (no-charge incident support, paid incident support, support charged on an hourly basis, support for warranty claims), security update support, enhancement requests. Extended/limited support includes: Paid incident support, security update support and possible additional support if contract is purchased.

There may be some variation in these definitions between manufacturers/vendors – for details contact the manufacturer/vendor.

PRODUCT WINDOWS NT 4 WS & SERVER WINDOWS 2000 WS & SERVER WINDOWS XP PRO WINDOWS 2003 SERVER NETWARE 4.2 NETWARE 5.1 NETWARE 6.0 NETWARE 6.5 SUSE LINUX 8 SERVER SUSE LINUX 9 SERVER GROUPWISE 5.5 GROUPWISE 6.0 GROUPWISE 6.5 GROUPWISE 7.0

MAINSTREAM/FULL EXPIRED EXPIRED 12/31/2006 6/30/2008 EXPIRED EXPIRED EXPIRED 8/1/2008 11/30/2007 7/30/2009 EXPIRED EXPIRED TBD 8/15/2008

EXTENDED/LIMITED EXPIRED 6/30/2010 N/A 6/30/2013 NOT OFFERED 11/1/2006 11/1/2006 8/1/2010 NOT OFFERED 7/30/2011 NOT OFFERED 8/4/2006 NOT OFFERED 8/15/2010

22

PRODUCT OFFICE 2000 PRO OFFICE 2000 STANDARD OFFICE 2000 SMALL BUSINESS OFFICE 2000 DEVELOPERS ED. OFFICE XP PRO OFFICE XP PRO SPECIAL ED OFFICE XP STANDARD OFFICE XP DEVELOPER OFFICE PRO 2003 OFFICE PROF ENTERPRISE ED. OFFICE SMALL BUSINESS OFFICE STANDARD OFFICE BASIC ED

MAINSTREAM/FULL EXPIRED EXPIRED EXPIRED EXPIRED 6/30/2006 6/30/2006 6/30/2006 6/30/2006 12/31/2008 12/31/2008 12/31/2008 12/31/2008 12/31/2008 (5) years after the Last Ship Date (LSD). The period from the LSD through the End of Service Life (EOSL) Date is referred to herein as the EOSL period. FREEWARE NO SUPPORT

EXTENDED/LIMITED 6/30/2009 6/30/2009 6/30/2009 6/30/2009 6/30/2011 EXPIRED 6/30/2011 6/30/2011 12/31/2013 12/31/2013 12/31/2013 12/31/2013 12/31/2013

SUN’S STAR OFFICE V. 7 AND 8

See Next Page

OPEN OFFICE V. 2.0

FREEWARE NO SUPPORT

23

Appendix B – Glossary

Revised 3/2006

Active Server Page A Web page that contains HTML and embedded programming code written in VBScript or Jscript. It was developed by Microsoft starting with Version 3.0 of its Internet Information Server (IIS). ASP is Microsoft's alternative to CGI scripts and JavaServer Pages (JSPs), which allow Web pages to interact with databases and other programs. C++ An object-oriented version of C created by Bjarne Stroustrup. C++ has become popular because it combines traditional C programming with Object-Oriented Programming (OOP) capability. C# (pronounced "C-sharp") An object-oriented programming language from Microsoft that aims to combine the computing power of C++ with the programming ease of Visual Basic. C# is based on C++ and contains features similar to those of Java. CCITT Consultative Committee on International Telephone and Telegraphy),now known as the ITU-T (for Telecommunication Standardization Sector of the International Telecommunications Union), is the primary international body for fostering cooperative standards for telecommunications equipment and systems. It is located in Geneva, Switzerland. ColdFusion See Macromedia Compiled Programming Language See programming language Copper Cable A reddish-brown metal that is highly conductive and widely used for electrical wire. When a signal "runs over copper," it means that a metal wire is used rather than a glass wire (optical fiber). CSU/DSU For the purposes of this document, CSUs/DSUs (Channel Service Unit/Data Service Unit) are devices that connect LANs to WANs, generally via a T-1/digital circuit interface.

24

Database application An application that retrieves, updates, or creates records in a database (e.g., MS Access, dBASE III+, FoxBase, FoxPro, SQL Server, Oracle, DB2). Types of database applications include: • • Single-user: database resides either on a server or on a local workstation; only one user can access the data concurrently. Multi-user: database resides on and runs from a server; multiple users can access the data concurrently. These application types include: o o Web-based: users display or update data via a Web-based interface; other than the Web browser, no specific client-side software is required Client/server: database resides on a server, and application has at least two components, physical database and possible mid-tier server application(s) residing on the server and application specific software on the client; users use client portion of application to retrieve/update the database. Multiple users can access the data concurrently. Single-component database applications: database resides on and runs from a server; no client-side specific software is required; multiple users can access the data concurrently. (Note: this 3rd category applies only to older applications written in languages like dBASE III+, not to newly-developed applications). Note: the trend is toward making most multi-user applications Web-based. client/server applications may still be used are: • • • Situations where

o

situations where security is paramount and users do not wish to have a Web front end (even though security can be built in to Web applications) situations where application is being used by only a few users within a single department situations where the application may run faster in client/server mode than via the Web

Data Mining Tool An information extraction tool whose goal is to discover hidden facts contained in databases. Using a combination of machine learning, statistical analysis, modeling techniques and database technology, data mining finds patterns and subtle relationships in data and infers rules that allow the prediction of future results. Typical applications include market segmentation, customer profiling, fraud detection, evaluation of retail promotions, and credit risk analysis. Depot maintenance agreement Customer sends malfunctioning product to vendor, vendor fixes it, vendor returns to customer.

25

Fiber Optic Fiber optic (or "optical fiber") refers to the medium and the technology associated with the transmission of information as light impulses along a glass or plastic wire or fiber. Fiber optic wire carries much more information than conventional copper. Firewall For the purposes of this document, firewalls are defined as hardware or software devices that limit access between networks,but do not include personal firewalls on individual PCs. HTML HyperText Markup Language is the document format used on the World Wide Web. Web pages are built with HTML tags, or codes, embedded in the text. HTML defines the page layout, fonts and graphic elements as well as the hypertext links to other documents on the Web. Each link contains the URL, or address, of a Web page residing on the same server or any server worldwide, hence "World Wide" Web. IEEE Institute of Electrical and Electronics Engineers, New York, is a membership organization that includes engineers, scientists and students in electronics and allied fields. Founded in 1963, it has more than 300,000 members and is involved with setting standards for computers and communications. IIS Internet Information Server (IIS) is a Web server software from Microsoft that runs under Windows. Integrated Development Environment For the purposes of this document, an Integrated Development Environment is a programming environment that has been packaged as an application program, typically consisting of a code editor, a compiler, a debugger, and a graphical user interface (GUI) builder. The IDE may be a standalone application or may be included as part of one or more existing and compatible applications. The IDE automates many of the tasks involved with application development. An IDE can be used for development of standalone, client/server, and web-based applications. Interpreted Programming Language see programming language Java A programming language for writing client/server and Web applications. Developed by Sun, Java was modeled after C++, and Java programs can be called from within HTML documents or launched stand alone.

26

JavaScript A popular scripting language that is widely supported in Web browsers and other Web tools. It is easier to use than Java, but not as powerful and deals mainly with the elements on the Web page. On the client, JavaScript is maintained as source code embedded into an HTML document. On the server, it is compiled into bytecode (intermediate language), similar to Java programs. Macromedia UltraDev (formerly ColdFusion) An application development tool from Macromedia for writing Web pages that interact with databases. Instead of writing tedious CGI and Perl scripts, operations are coded in the ColdFusion Markup Language (CFML) which uses HTML-like tags embedded in the Web pages. The ColdFusion engine, which interfaces with a Web server, interprets the codes, accesses the database and delivers the results as HTML pages for the Web browser. This is an alternative to Microsoft’s Active Server Pages. Mission Critical Vital to the operation of an organization. Network Card A printed circuit board that plugs into both the clients (personal computers or workstations) and servers and controls the exchange of data between them. Operating System The master control program that runs the computer; it is the first program loaded when the computer is turned on, and its main part, called the kernel, resides in memory at all times. It is an important component of the computer system, because it sets the standards for the application programs that run in it. All programs must "talk to" the operating system. The main difference between an operating system and a server operating system is the latter’s multi-user capability. Premium maintenance agreement Vendor cross ships replacement product, upon receipt customer returns malfunctioning equipment. Programming language A language used to write applications. Programming languages fall into three basic categories: Interpreted language: applications written in an interpreted languages do not need to be compiled before they are executed. Examples include ASP, ColdFusion, and PHP. Compiled language: applications written in a compiled language must be compiled before they can be executed. Compiled applications are platform-specific (i.e., they will only run with the operating system under which they were compiled). They are generally used to code complex applications that require functionality not provided by an interpreted language like ASP. Additionally, compiled languages run faster than interpreted languages. Examples of compiled languages include C++ and VisualBasic. Scripting language: used to script certain actions in Web pages, such as causing the color of a menu button to change when the user clicks on it. Scripting languages,

27

because they are supported/interpreted by software on the Web server, are not platform-specific. Examples of scripting languages include JavaScript and VBScript. Scripting languages are generally a sub-set of commands from a compiled language. Tag-based language: a language for generating a Web page which uses special code strings (often starting with "<" and ending with ">") called tags to modify elements within the document. Tags are generally used in pairs – i.e., a beginning and ending tag are used to start and stop the process being enacted on the target element. A pseudocode example would be <sup>this is superscript text</sup> Some languages, notably Java, have both interpreted and compiled components; for the purposes of setting these standards, we have included Java under compiled languages. Router For the purposes of this document, a router is defined as a device that provides connectivity between subnets and is connected in any way to the County WAN. Devices or software that provide routing capabilities as a secondary function – e.g., firewalls – are not considered to be routers in this context. Scripting Language See programming language. Server A computer in a network shared by multiple users. The term may refer to both the hardware and software or just the software that performs the service. Types of servers include: File/Print Server: a computer and storage device dedicated to storing files and/or managing printers. Any user on the network can store files on the server. Application Server: Application Servers serve applications to users and are also used as traffic cops in database-intensive situations. Web Server: A computer that provides World Wide Web (WWW) services on the Internet. It includes the hardware, operating system, Web server software, TCP/IP protocols and the Web site content (Web pages). Server Operating System An operating system that manages network resources. It manages multiple requests (inputs) concurrently and provides the security necessary in a multi-user environment. Examples include Linux, NetWare, and Windows Server. Small Office For the purposes of this document, a « small office » is defined as an office that has 12 or fewer total devices/connections Switch For the purposes of this document, a switch is defined as a device that provides non-routed connectivity between devices on the same subnet.

28

Tag-based language See programming language VBScript A programming language developed by Microsoft for Web applications. It is an extension to Microsoft's Visual Basic language. VBScript is widely used as the scripting language in Active Server Pages (ASP). Visual Basic A version of the BASIC programming language from Microsoft specialized for developing Windows applications. Visual Basic has become very popular for Windows development and is widely used to write client front ends for client/server applications.

29

Information Security Policies

Virus Protection Policy Software Copyrights and Licensing Policy Security Policy Provisions for Purchased and Internally Developed Software Protection of Sensitive Information Policy Physical Security Policy Information Security Perimeter Policy Information Security Incident Response Policy Information Security Exception Policy Information Classification Policy Information Security Risk Assessment Policy E-mail Policy Business Continuity Policy Wireless Communication Policy Logon Banner Policy

Virus Protection Policy
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose All County Personal Computers (desktop, laptop, hand-held devices) and servers are to maintain active virus protection according to the responsibilities described within this policy. 2. Policy Description A virus is a piece of self-replicating code, most often a malicious software program designed to destroy or damage information on computers. Some viruses cause no damage, but a significant number are specifically designed to cause data loss. Potential sources of viruses include shared media such as floppy disks or CDs, e-mail (specifically, e-mail attachments), and documents downloaded from the Internet. A virus infection is almost always costly to the County whether through the loss of data (possibly permanent), staff time to recover a system, or the delay of important work. At the County, computer viruses impact the County as a whole and not just infected systems in a specific department. This is the case because all County departments share countywide systems (e.g., e-mail system, shared network infrastructure). In a networked environment, the weakest link in the chain can breach the security of the information on the entire network. 3. Policy Responsibilities Information Technology Services (ITS) Responsibilities
•

Define an enterprise anti-virus solution and negotiate a volume purchase for the County as a whole. Architect and monitor the overall design, function, and effectiveness of the anti-virus protection systems throughout the County. Inform departments of recommended operating system and application patches that are required to protect against potential system security problems. Provide guidelines and mechanisms for installing and maintaining the anti-virus software and pattern file updates on departmental servers and workstations. Proactively notify departmental IT contacts of high-risk viruses as soon as they are known to be in circulation. Appropriate staff (e.g., WAN, IT Security, Customer Services) will distribute information or warnings regarding viruses to departmental IT staff or end users, when appropriate, and serve as a clearinghouse to communicate virus incident information received from departments or outside sources.

•

•

•

•

Department Responsibilities
•

Develop and implement a plan to ensure that all departmental file and print servers and all workstations have current anti-virus software installed and are properly administered.

• • •

Ensure that once installed, anti-virus software cannot be disabled on servers or workstations. Train users on the use of anti-virus software on the desktop. Apply any recommended operating system and application patches to protect against potential system security problems. Notify ITS of any virus or network security-related incidents. Designate a primary and an alternate coordinator who can be contacted and is able to participate in the event of a significant virus incident.

• •

Individual User Responsibilities
•

Exercise caution when opening e-mail attachments. You should not open attachments that you do not expect or from users you do not know. Exercise extreme caution when accessing files from the Internet. Files should only be accessed from reputable sites. E-mail attachments and downloaded files should be isolated and scanned for viruses. (If unsure, contact your departmental IT staff). Report virus incidents to your departmental IT staff immediately. Users are not to modify the software or its configuration in any manner, unless directed by departmental IT staff.

•

•

• •

4. Enforcement Violators of this policy may be subject to appropriate disciplinary action up to and including employment termination, termination of agreements, denial of service, and/or legal penalties, both criminal and civil.

Software Copyrights and Licensing Policy
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose To establish a countywide policy that ensures the County uses only legally obtained software, to establish a uniform means to document that software in use is legally licensed, and to reduce the potential financial liability to the County. 2. Policy Scope This policy applies to all users of County-owned or leased equipment that uses computer software to perform any form of computer processing, including but not limited to: personal computers, servers, communication/paging devices, lab testing equipment, ballot counting devices, etc. This policy also applies to all types of licensing methods, including but not limited to: standard two party license agreements, open source licensing, shrink-wrap licenses, “I Agree” licenses, shareware licensing, freeware licensing, and public domain licensing. 3. Policy Description Use only legally acquired and licensed software.
•

A software license is a license to use the software by a specific device or by a specific number of users. A software license does not give ownership of the software to the Licensee and generally restricts the user’s rights to a few very specific uses. There is a significant financial liability to the County if software that has not been legally obtained is used on County-owned or leased equipment. Only software that has been legally acquired and licensed by the County for County use may be used on County-owned equipment. A department head may make exceptions for a period of 30 days or less for evaluation purposes, after having determined that such use of third party software is legally allowed under the license for that software and after having determined the software is virus free. Only software that is specifically licensed for Home Use may be used on personally owned computers of employees. Copies of software must not be made for use on secondary computers, such as County owned laptops, unless the software license specifically allows for such copies to be made and used during periods of non-use on the primary computer. Generally, you may only make copies of software for back-up purposes. Only the Board of Supervisors or the County Purchasing Agent have the authority to accept the terms and conditions of a software license. This authority may be delegated by the Board with certain restrictions and established procedures to be followed.

•

•

•

•

• •

Software developed by County: Software developed at the expense of the County, either by County staff or contractors, inclusive of derivative works, is considered intellectual property owned by the County. The department is responsible to the originating funding source for reasonable and proper use/disposition of the intellectual property just as it is with physical property. Any release of County-owned intellectual property to other entities, public or private, must be based on sound business practices. However, software that has been developed with funding from the State or federal government may likely be considered public domain to the extent it might have to be made available to other government entities free of charge except for the cost of duplication. 4. Policy Responsibilities Responsibilities for implementation of this policy are: ITS Responsibilities:
• •

Review software licenses for conformance to Board of Supervisors’ policies. Assist departments in negotiating changes to software licenses.

Department Responsibilities: • • • Ensure they have valid licenses for all software used in their department. Maintain in a permanent departmental file positive proof of all software licenses acquired for use by that department. Be aware of and enforce all County responsibilities pursuant to the software license.

5. Enforcement The County retains the right to examine all electronic storage media, data files, logs and programs used on County computer equipment. This policy is intended as a starting point and may be enhanced by departments to cover any special circumstances. Violators of this policy may be subject to appropriate disciplinary action up to and including employment termination, termination of agreements, denial of service, and/or legal penalties, both criminal and civil. 6. Definitions Terms Copyright Definitions The exclusive legal rights to publish, reproduce, copy, or sell the matter and form. If a work is copyrightable, it should be treated as if it is protected by copyright. Authorization by the owner of a work permitting the use of that work. Programs or files developed using or linked to proprietary software.

License Derivative works

Security Policy Provisions for Purchased and Internally Developed Software
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose All software purchased for or developed by the County must adhere to applicable County security policies. This policy describes the guidelines to be used when developing or acquiring such software. 2. Policy Scope This policy applies to all information systems developed or acquired by any County department, including Commercial Off-the Shelf (COTS) applications and custom developed applications. If individual department policies overlap County policy, the more stringent policy shall apply. 3. Policy Description a. Internally Developed Software Early in the development life cycle of a new information system (application), it is essential that appropriate security features be included in the design specification to ensure that the new system meets the requirements of County and departmental security policies. Examples of features that should be considered are listed in section 5 below. b. Information System Acquisitions Security features of Information Systems must be completely addressed in any Request for Proposals (RFP) released by any department or agency within the County. Examples of security features to be included are enumerated in section 5 below. 4. Policy Responsibilities Department Responsibilities • • Identify security requirements when developing specifications for any information systems. Include these requirements in appropriate design or RFP documentation. Request review of specified security features from the Information Technology Services Division.

Information Technology Services (ITS) Responsibilities • Review specifications for proposed information systems to ensure that applicable security features are included with sufficient clarity and level of detail to fulfill the requirements of the County security policies. Provide guidelines on information to be included in design and/or acquisition documentation.

•

5. Security Feature Examples (including but not limited to) • • • • • • User ID and Password protection Use of “Strong” passwords Automatic Password expiration Encryption of sensitive information Role based information access authorization Logon Banners

6. Enforcement Violators of this policy may be subject to appropriate disciplinary action up to and including employment termination, termination of agreements, denial of service, and/or legal penalties, both criminal and civil.

Protection of Sensitive Information Policy
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose This policy outlines measures that should be used to protect electronically processed and stored information identified as Sensitive in the Information Classification Policy. 2. Policy Scope This policy applies to all Sensitive information that exists with the County environment, either owned by or in the custody of the County. 3. Policy Description Sensitive County information must be protected from unauthorized release or disclosure. This policy states the roles and responsibilities of all of the people involved in the creation, use, handling, storage and destruction of Sensitive information that is stored or transmitted electronically. Responsibilities Director of Information Technology Services
•

Identify/review acceptable methodologies for Sensitive information as requested by the information owner. Ensure removal of Sensitive information from data storage and memory of computer equipment prior to sending such equipment for maintenance, salvage, or redeployment. Protect software and Sensitive information by including a nondisclosure agreement or other appropriate document with outside professional services contracts.

•

•

County Users/Information Systems Employees:
• • •

Protect information resources against unauthorized access, loss, or destruction. Retain information solely for legitimate business purposes. Retrieve confidential or restricted documents immediately from fax, printers, or copy machines. Shred printed Sensitive data/information prior to disposal. Secure access codes and information (i.e., dial-up phone number, passwords) as required by other applicable County policies.

• •

•

Contact the Departmental Information Security Representative or, if unavailable, an immediate supervisor, if it is suspected that information errors are the result of illegal tampering or modification of data. Sensitive information should not be left unattended.

•

Information Security Representative:
• •

Investigate reports with data/information suspected of illegal tampering. Inform users about the reasons data has to be protected, legislation that affects their work, and other topics within the Information Security Policies.

4. Enforcement Violators of this policy may be subject to appropriate disciplinary action up to and including employment termination, termination of agreements, denial of service, and/or legal penalties, both criminal and civil.

Physical Security Policy
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose This policy describes the responsibilities for protecting physical computer and information resources, including non-computer informational assets. 2. Policy Scope This policy applies to all County information and information system assets. 3. Policy Description The County requires that appropriate environmental, protective, and access control systems are in place to protect information resources including both computerized and non-computer informational assets. Proper and adequate physical security and protection of hardware, software, and other County controlled assets is the responsibility of all County departments and their employees. 4. Policy Responsibilities
•

Department Directors or Departmental Designee(s): Review and retain logs of system level security violations and retain records per the County Administrative Policy and Procedures Manual or other statutory requirements. Identify and enforce physical security requirements including controlled access. Identify requirements for environmental protection of the computer center and any remote facilities. Maintain records of individuals assigned access codes/keys/combinations, limiting distribution of computer center or information facility access codes or keys (e.g., hard, proximity, magnetic stripe) and combinations only to those employees needing entry to fulfill their job requirements. Maintain records and keep current an inventory of physical computer and information resources including peripherals. Maintain and keep current a list of authorized service vendors entering the computer center for repair and maintenance of equipment.

• •

•

•

Departmental Information Systems Employees:
•

Report the loss or theft of an information resource to management and complete required forms, if any, and complete a written incident report to be kept with departmental inventory. If appropriate, notify the Auditor-Controller-County Clerk’s office of the loss or theft as required.

•

Notice suspicious individuals (e.g., maintenance, public and others visiting the organization, delivery personnel, vendors, etc.) and be prepared to challenge individuals entering the computer center or other restricted areas. Provide a secure location to store backup information.

•

Departmental Users:
• •

Secure information resource equipment in their possession at all times. Report the loss or theft of an information resource to management immediately, both orally and on standard County reporting forms. Challenge any persons or activities unknown to you or that appear to not belong at that physical location. Ensure proper disposal of an information asset based upon departmental, local, State, or federal law or rule.

•

•

5. Enforcement Violators of this policy may be subject to appropriate disciplinary action up to and including employment termination, termination of agreements, denial of service, and/or legal penalties, both criminal and civil.

Information Security Perimeter Policy
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose This policy defines the Security Perimeter and its supporting architecture. The policy also establishes the root authority responsible for the management and configuration of the Security Perimeter. 2. Policy Scope The Security Perimeter is an essential and critical Wide Area Network component and crucial to the security of County infrastructure information systems. This policy applies to all resources, systems, connectivity, and services as defined within the Security Perimeter and to all entities located on the County Wide Area Network. This policy will not supercede existing legal requirements. 3. Policy Description The Security Perimeter is defined as all resources, systems, connectivity, and services responsible for enabling and maintaining connectivity between the County, its business partner(s), and all other external-to-organization resource(s) or service(s). It represents the “managed point of entry/exit” to County infrastructure resources. It includes, but is not limited to, Firewalls, Intrusion Detection Systems (IDS), Demilitarized Zones (DMZ’s), remote connectivity resources, and the network architecture resources providing connectivity for the environment. The CAO Information Technology Services Division (ITS) is responsible for the Security Perimeter and its management. Departments must submit to the CAO for approval, any plans that may require modifications to the Security Perimeter or any changes that could affect the Security Perimeter. The CAO will ensure that any changes, additions to, or deletions from the Security Perimeter adhere to current Information Security Perimeter Standards as adopted by the County. 4. Policy Responsibilities CAO/ITS CAO/ITS is the root authority for the Security Perimeter. In this role CAO/ITS will review all departmental requests for Security Perimeter modification. CAO/ITS may take any action deemed necessary to ensure the security of County resources. This includes but is not limited to:
• • •

Termination/Shutdown of connectivity Termination/Shutdown of services Termination/Shutdown of resources

•

Termination/Shutdown of systems

All actions taken by CAO/ITS are subject to review and/or appeal to TAC. Departments Departments must submit requests for Security Perimeter modifications to CAO/ITS. Security Perimeter modifications include, but are not limited to:
• • • •

Firewall rule modification. External network access to County WAN by vendors or agencies. Wireless network or device installation. Any device or system that, when installed, may result in a breach of the Security Perimeter.

Any transient device or system to be temporarily connected through the Security Perimeter must meet the requirements of the Wireless Policy and the Virus Protection Policy. 5. Enforcement Violators of this policy may be subject to appropriate disciplinary action up to and including employment termination, termination of agreements, denial of service, and/or legal penalties, both criminal and civil. 6. Definitions Terms Demilitarized Zones (DMZ’s) Intrusion Detection Systems (IDS) Transient Devices/Systems Definitions Area where web servers are typically located between the public and private sides of a firewall. Application that analyzes network traffic and notifies someone when suspicious activity is detected. County and non-County equipment that is non-permanent including laptops, PDAs, network analysis equipment, test equipment, etc.

Information Security Incident Response Policy
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose This policy outlines the required steps to be taken in the event of a real, perceived or potential information security incident. Due to a variety of issues, it is imperative that a formal reporting and response policy be followed when responding to security incidents. 2. Policy Scope This policy applies to all authorized users of County computerized systems, including employees, contractors, vendors and other users. This policy is in effect countywide whether used on County premises or off site. 3. Policy Description Notify the department’s designated Information Security Representative (ISR) immediately of any suspected or real information security incident. If the ISR is not available, the user must notify their immediate supervisor. If it is unclear as to whether a situation should be considered an information security incident, the ISR should be contacted to evaluate the situation. The ISR will coordinate any investigative or corrective action situation deemed necessary in response to the information security situation. Samples of incidents requiring a response will be published by ISAC. 4. Policy Responsibilities Individual Users: • Report any perceived information security incidents to the departmental ISR.

County Departments: • Create and maintain an Incident Response Plan, based on the template published by the ISAC, containing (at a minimum) specific processes for the reporting and evaluation of security incidents. This plan should identify the Information Security Representative(s) for the individual department.

ISR: • • • Evaluate situation and take appropriate action as defined by the Incident Response Plan. Keep a record of incidents and actions taken in accordance with the Incident Response Plan. If deemed necessary, the ISR should coordinate the incident with the Computer Incident Response Team (CIRT).

CIRT: • • Respond to security incidents as needed. Coordinate with law enforcement agencies as required.

Director, ITS Division: • • • Review Security Incident Reports. Compile and maintain security incident statistics. Appoint a qualified CIRT.

5. Enforcement Violators of this policy may be subject to appropriate disciplinary action up to and including employment termination, termination of agreements, denial of service, and/or legal penalties, both criminal and civil. 6. Definitions Terms ISR CIRT Definitions Information Security Representative – a department appointed position Computer Incident Response Team

Information Security Exception Policy
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose Occasionally situations arise that cannot be effectively addressed within the constraints of existing Information Security policies and standards. Nevertheless, County security needs must not be compromised. A standard way of dealing with these occurrences must be provided through a process for reviewing and approving or denying requests for exceptions. 2. Policy Scope This policy applies to all personnel who have, or are responsible for, an account (or any form of access) on any system that resides at any County facility, have access to a County network, or store any County controlled information. 3. Policy Description Deviations from Information Security policies and standards shall not be permitted without approval via an authorized exception review process conducted by a TAC appointed Security Exception Review Committee. Evaluations of exception requests will take into account the compensating benefits to the County in each exception request. Requests that create significant risks without compensating controls will not be approved. Requests for exceptions should contain the following information:
• • • • • • •

Identification of the policy for which the exception is being requested. A description of how the exception is contrary to the established policy. A description of the justification for the exception. A description of the benefits the County would gain by granting the exception. Identification of the risks associated with the granting of the exception. A description of the steps that will be taken to mitigate any potential security risks to the County. Provide any additional information requested by the Security Exception Review Committee.

4. Enforcement Violators of this policy may be subject to appropriate disciplinary action up to and including employment termination, termination of agreements, denial of service, nd/or legal penalties, both criminal and civil.

Information Classification Policy
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose This policy defines how information is to be classified. The information covered in this policy includes, but is not limited to, information that is either stored or shared via electronic means or in hardcopy form. Information and application owners, as well as other employees, should familiarize themselves with the Information Classification Policy. Questions about the proper classification of a specific piece of information should be addressed to your department management. 2. Policy Scope All information is categorized into two main classifications:
• •

Public Sensitive

Public information is defined by the California Public Records Act, and is contained within California Government Code 6254.9. Sensitive information is any information declared by law or policy to be non-public information. Sensitive information includes the following:
• • • •

Restricted Data Private or Confidential Data Protected Data Intellectual Property

The Information Owner is the classification authority. It is the responsibility of the Information Custodian to apply appropriate measures to protect electronically processed and stored information so classified by the owner of that information. 3. Policy Description Follow the guidelines below on how to classify information at varying levels: 3.1 Public Records. According to California Government Code §6254.9: (a) Computer software developed by a state or local agency is not itself a public record under this chapter. The agency may sell, lease, or license the software for commercial or noncommercial use. (b) As used in this section, "computer software" includes computer mapping systems, computer programs, and computer graphics systems. (c) This section shall not be construed to create an implied warranty on the part of the State of California or any local agency for errors, omissions, or other defects in any computer software as provided pursuant to this section. (d) Nothing in this section is intended to affect the public record status of information merely because it is stored in a computer. Public records stored in a computer shall be disclosed as

required by this chapter. (e) Nothing in this section is intended to limit any copyright protections. 3.2 Non-Sensitive Information. Non-sensitive information is considered public information. This is information that has been declared public by the California Public Records Act. For guidance on releasing public information beyond the scope of one’s immediately defined work responsibilities consult your department’s policy. Sensitive Information. Sensitive information can be broken down into other classifications: restricted, private or confidential, protected, and intellectual property. Sensitive information includes personal, medical records or financial information on employees, constituents, citizens, customers, business partners, or anyone else that has not been previously defined in law to be a public record. Sensitive information may also include any other information that could enable an individual to commit identity theft when so defined in law or policy. Other sensitive information includes critical infrastructure schematics or infrastructure protection plans, including buildings, vehicles, telecommunications, and systems. Information that is covered by non-disclosure agreements or intellectual property practices is considered sensitive information. a. Restricted Data. Examples of restricted information include CLETS, Medical Examiner/Coroner, District Attorney, Public Defender and Protected Health Information (PHI), system documentation, and details about the operating environment hosting restricted information. Information of this nature is sensitive and could have immediate detrimental effects if released to the wrong individuals. Specifically, restricted information could expose individuals to danger, suspend large segments of business operations, or cause extensive damage to resources. Only County personnel designated in writing and approved by the information owner are authorized access to restricted information. Access approval processes are developed for each restricted system. The information owner retains classification authority, access control, and distribution control responsibilities. The owner department designates restricted data and systems in writing to the Information Custodian. Restricted data may also be contained in the following elements of restricted systems:
• • • • • • • • •

3.3

Computer readable files Reports and printouts Terminal and monitor displays Program source and object code Systems and program documentation User documentation Information related to in-progress legal proceedings The combination of a logical address, user ID, and password County-owned or third-party Intellectual Property

b. Private or Confidential Data. Some data collected and maintained by the County are protected from public disclosure through various privacy and confidentiality statutes, and thus, are not available under existing public information laws. Examples of private or confidential information include:
•

Passwords

• • • • • •

Personal medical condition or related information Social Security Number (SSN) Personal or family information Family names Ages Personal or business partner financial and banking data, including credit cards, bank routing numbers and bank account information Personal information provided by constituents in the course of delivering any public health or social service (name, address, phone, SSN, family names, personal historical detail). County financial data not deemed public by the Public Records Act Employee performance reviews, discipline reports and other personnel data Information related to in-progress legal proceedings The combination of a logical address, user ID, and password County-owned or third-party Intellectual Property

•

• • • • •

Only County personnel with a designated need-to-know, or others with Board approval and within any overriding State or federal statute or regulation, are authorized access to private or confidential information. The information owner retains classification authority and only the information owner is authorized to approve or disapprove both access and distribution requests. All requests of any nature to release Private or Confidential data to an entity outside of the County, whether a private request or an order of a Court, must be reviewed and approved by County Counsel and the CAO prior to release. County Counsel and the CAO will also determine if any form of protection, such as a non-disclosure agreement, is required to protect the data from further unauthorized release. c. Protected Information. This is information generated in the normal course of managing County operations that may be a public record under the Public Records Act; however, if made available by publishing in a public medium it would create a potential physical threat or potential disruption to County operations. Examples of protected information include:
• • • • •

Telecommunications and cabling schematics Disaster Recovery Plans Operational Recovery Plans Network schematics Physical facility schematics

• • • • • •

Preliminary reorganization plans Detailed information about ongoing projects Time sensitive information Risk assessments System controls Evaluations of RFP’s or other procurement results

Work products that are in a draft or preliminary form are not subject to the Public Records Act referenced above and should not be released outside the County without specific approval of County Counsel and the CAO. Work products, such as those listed above, that are in final form should only be routinely accessed by County personnel whose job function requires access for normal business purposes. The information owner retains classification authority and provides general guidelines regarding release of the information outside the County. County managers are authorized, based on those guidelines, to approve or disapprove both access to and distribution of requested information. When in doubt however, managers must always obtain department information owner consent before granting access or releasing protected information. It is strongly recommended that the CAO and County Counsel be consulted and a nondisclosure agreement be executed by the requesting entity if it is felt to be in the best interests of the County to restrict further distribution of the information. d. Intellectual Property. Without specific written exceptions, all programs and documentation generated by, or provided by employees, consultants, or contractors for the benefit of the County are the property of the County. The County has legal ownership, and therefore maintains exclusive rights to patents, copyrights, inventions, or other intellectual property developed by employees, consultants, or contractors for use on County systems. This includes intellectual property stored on County computer and network systems as well as all messages transmitted via these systems. County software, documentation, and all other types of internal information must not be sold or otherwise transferred to any non-County party for any purposes other than County business purposes. Registered software purchased from a non-County source is considered third-party intellectual property. Ownership and limitations on use are established by the registered owners’ licensing agreements. 4. Information Classification Information ownership is the direct responsibility of user departments. Department heads and/or designee(s) are responsible for being knowledgeable about confidentiality and privacy laws specific to their department’s functions. Department heads and/or designee(s) are responsible for all aspects of the classification, use, distribution and protection of County information within and outside of their respective departments. This responsibility includes determining the level of access to be granted to a user. Information owners are responsible for coordinating with the Information Custodian to ensure that facility security needs of sensitive information are met. 5. Declassifying or Reclassifying Information Only the Information Owner may downgrade or declassify information. Downgrading is the process, as an example, of reclassifying information from “Restricted” to “Confidential”. Declassifying is the process of reclassifying information from “Confidential” to “Unclassified” or “Public”. Specific

procedures may exist for specific categories of Private or Protected information as mandated by other State or federal regulations. 6. Enforcement Violators of this policy may be subject to appropriate disciplinary action up to and including employment termination, termination of agreements, denial of service, and/or legal penalties, both criminal and civil. 7. Definitions Terms Access Definitions Making information available to only those individuals with a business need to know requires authorization by the Information Owner and signed Ethics and Responsible Use and Non-Disclosure Agreements. Access within the owning department or other County entity with a business need to know via approved electronic file transmission methods. Access outside of the County to approved parties with a business need to know via public or private carriers and approved electronic file transmission methods. The person responsible for overseeing and implementing the necessary safeguards to protect the information assets, at the level classified by the Information Owner. The department head and/or designee(s) assigned responsibility under State or federal law or County policy for specific data, including classification, protection and assigning access. Documentation, software, code, copyrights, inventions or patents to which the County or a third-party has legal ownership, and therefore maintains exclusive rights. Non-sensitive information is considered public information. A category of Sensitive Information. County-held information requiring defined access and distribution controls. A category of Sensitive Information. Information that may be deemed public by the Public Records Act, but if made available through public media could create vulnerabilities for the County. Public information is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any possible damage to the County or its customers and/or business partners. A category of Sensitive Information. Information that by law requires strict access and distribution control. State and federal laws and regulations that place stringent privacy and security requirements on some or all of the data prescribed protection measures. Sensitive information is any information not declared by law or policy to be public information.

Distribution within

Distribution outside

Information Custodian

Information Owner

Intellectual Property

Non-Sensitive Information Private or Confidential Data Protected Data

Public Information

Restricted Data

Sensitive Information

Information Security Risk Assessment Policy
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose The purpose of this policy is to identify and authorize individuals charged with responsibility for assessing risk; to identify the security policies and procedures to be enforced in order to initiate appropriate remediation; and, to require the performance of periodic information security risk assessments for the purpose of determining areas of vulnerability. 2. Policy Scope Under the jurisdiction, authority, and responsibility of the County Administrative Officer (CAO), Information Security Risk Assessments can be conducted on any entity within the County governance structure. This includes but is not limited to any information system, application, server, network, facility, and/or any process/procedure by which these systems or facilities are administered and/or maintained. 3. Policy Description The performance of Information Security Risk Assessments is a critical business function that identifies vulnerabilities within an information system’s environment. Therefore, this policy requires the full cooperation of those involved with any Information Security Risk Assessment, be they directly or indirectly involved with the area being assessed. It is the joint responsibility of the Information Security Risk Assessment Team and those responsible for the area being assessed to perform effective remediation for any identified risks. 3. Policy Responsibilities • • The CAO or designee(s) is/are responsible for the appointment of Information Security Risk Assessment Teams. Under the direction of the CAO or designee(s), the Information Security Risk Assessment Teams have the authority to periodically conduct risk assessments to ensure the acceptable operation of the area assessed. Information Security Risk Assessments will be conducted with the proper security clearances and will be conducted with the full cooperation of those responsible for the area assessed. All Information Security Risk Assessment findings will be documented, kept confidential, and distribution limited to the necessary parties identified at commencement of the Information Security Risk Assessment. Identified vulnerabilities will be assessed for criticality. All vulnerabilities that unnecessarily endanger or expose mission critical resources must be immediately remediated.

• •

•

•

All vulnerabilities identified for remediation must be reported to and acknowledged along with the department’s response to the CAO.

4. Policy Enforcement Violators of this policy may be subject to appropriate disciplinary action up to and including employment termination, termination of agreements, denial of service, and/or legal penalties, both criminal and civil. 5. Definitions Terms Entity Risk Team Risk Definitions Any business unit, department, group, or third party, internal or external, responsible for maintaining assets. Assessment County employees or contractors designated with the authority to conduct Risk Assessments. Those factors that could affect confidentiality, availability, and integrity of key information assets and systems.

E-mail Policy
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose This policy defines how County e-mail communications are to be used in a professional manner for County purposes. In addition, it defines how County e-mail communications are to be secured to prevent unauthorized access, to prevent unintended loss or malicious destruction of data, and to provide for the integrity and availability of all e-mail systems. 2. Policy Scope This policy applies to all authorized users of County e-mail systems, including employees, contractors, vendors and other non-County users who have been granted access to County- owned electronic communications. This policy is in effect countywide whether used on County premises or off site. 3. Policy Description County information technology resources, including e-mail, are to be used for County business purposes. Policies for incidental and non-business use of County information technology resources must be defined by each individual County department. Access to e-mail services is a privilege that may be wholly or partially restricted without prior notice or without consent of the user. County government retains all property rights in any matter created, received or sent via the County’s electronic communications systems and such matter is not the property of the employees. Employees should have no expectation of privacy in any matter created, received or sent using the County’s electronic communications systems. All e-mail is subject to audit and periodic unannounced review by authorized individuals as directed by the director of each department, without the permission of the sender or recipient. The County reserves the right to override any individual password and access all electronic mail messages for any purpose, and to disclose such matter to authorized individuals within the organization. E-mail is subject to the policies concerning other forms of communication as well as all other applicable policies including, but not limited to, confidentiality, conflict of interest, general conduct and sexual harassment. E-mail services shall not be used for purposes that could reasonably be expected to cause directly or indirectly excessive strain on the e-mail system or unwarranted or unsolicited interference with others’ use of e-mail or the e-mail system. County departments shall take appropriate steps to protect all e-mail servers from various types of security threats as follows:

• • •

Place e-mail servers in safe locations that are physically secured. See the “Physical Security” policy for more information. Back-up the e-mail servers for software and data on a regular basis. Refer to the “Business Continuity” policy for more information. Run anti-virus software on the e-mail servers to protect the server itself and all the e-mail messages that traverse through it. Apply the same security guidelines to the e-mail servers as to the other County servers. All County departments must have appropriate procedures in place to monitor personnel having administrative access to e-mail servers.

•

Employees shall only access e-mail through systems set up by the County. Employees shall not access Hotmail, AOL, Yahoo, and similar e-mail accounts over the County’s Wide Area Network (WAN) including web-based e-mail hosted outside the County. It has been detected that these types of e-mail accounts bypass the County’s security network and make the County’s WAN vulnerable to viruses. E-mail generates correspondence, which may be recognized as official records in need of protection/retention in accordance with the California Public Records Act. Therefore, electronically stored mail is subject to retention requirements. County departments shall determine an e-mail data retention policy as applicable to their security requirements. Retention of e-mail should be kept to the minimum required by law and business purposes. Encryption of e-mail may be appropriate in some instances to secure the contents of an e-mail message. Each user should be cognizant of the sensitivity of information contained in e-mail and understand that it may be passed beyond the intended recipient. Encryption must follow County standards. Occasionally there is an immediate need to transmit confidential information. The use of e-mail is often the most expedient process, but also poses a considerably higher risk of breach of confidentiality. As with paper records, important safeguards must be in place to protect the information contained in e-mail so that it reaches its intended destination in a secure manner. Additional safeguards (such as the use of password protected attachments and/or the use of encryption techniques) should be employed when dealing with sensitive or confidential information. 4. Enforcement Violators of this policy may be subject to appropriate disciplinary action up to and including employment termination, termination of agreements, denial of service, and/or legal penalties, both criminal and civil.

Business Continuity Policy
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose This document defines the County’s Business Continuity Plan (BCP) planning efforts and functions, and assigns roles and responsibilities for this effort. 2. Policy Scope This policy applies to all departments throughout the entire County organizational structure. 3. Policy Description To adequately address BCP, each County department must have a documented plan to cover these five distinct areas: Business Impact Analysis Identify critical business functions, define impact scenarios, and determine resources needed to recover from each impact IT Backup and Recovery Plan IT data backups, storage, data restore procedures, recover mission critical technology and applications at alternative site Business Contingency Plan How to continue business without “normal” resources Business Recovery Plan Recover mission-critical processes at alternative sites Business Restoration Plan Restore normal business functions at permanent facilities Business Continuity Test Plan A plan for testing all BCP related activities, including, but not limited to IT data recovery and testing of contingency, recovery and restoration procedures Current copies of a department’s business continuity plans will be stored offsite at an alternate location for use during an emergency situation.

Testing of the plan will be conducted periodically with an annual review of the plan. As part of change control, any system, application, or network change must be reflected or considered in the BCP. Updates and revisions to the BCP will be distributed to all employees involved in the recovery process and the County Administrative Office (CAO). 4. Enforcement The County’s CAO is responsible for ensuring that each County business unit has a documented BCP. 5. Definitions Definitions Analysis to determine the impact that certain defined disaster scenarios would have on the department. These disasters could Business Impact Analysis include short-term and long-term disasters. The intent of this BIA is (BIA) to determine what processes and resources are needed in these disaster scenarios. Related to IT system back-ups and recovery. The IT Backup and Recovery Plan is provided by the relevant IT service organizations and is developed by determining the business requirements for IT Backup and Recovery Plan frequency of back-ups, retention of back-up media, plans for restoring of the back-ups, and a recovery plan for restoring back-ups in an alternate IT site. Defines the processes needed to continue to offer business services to clients. In a disaster situation, decreased services may be required, Business Contingency Plan however, this Business Contingency Plan lists how these services are to be provided. Business Recovery Plan Defines the steps required to recover from a situation that had some impact on the businesses’ “normal” functions. Defines the steps required to restore the business completely from a Business Restoration Plan disaster that required the business to relocate, to offer limited services, or to not provide services at all. Terms

Wireless Communication Policy
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose Wireless networks pose a risk to the security of County data assets. Wireless networks are inherently insecure and can effectively open another public connection to the County Wide Area Network (WAN) that bypasses the County’s current security infrastructure. This policy prohibits access to the County WAN via unapproved wireless communication mechanisms. 2. Policy Scope This policy covers all wireless data communication devices (e.g., personal computers, cellular phones, PDAs, etc.) connected to any of the County internal networks. This includes any form of wireless communication device capable of transmitting packet data. Wireless devices and/or networks without any connectivity to the County’s internal network do not fall under the purview of this policy. 3. Policy Description To comply with this policy, wireless implementations must:
• • •

Have the design reviewed and approved by ITS. Comply with current County Wireless Security Standards and Procedures. Have the final installation approved and tested by ITS before the wireless network goes into production.

4. Enforcement Electronic monitoring of wireless communication in and around County owned or leased facilities may be undertaken, in coordination with ITS, to verify that no devices are accessing County resources out of compliance with this policy. Violators of this policy may be subject to appropriate disciplinary action up to and including employment termination, termination of agreements, denial of service, and/or legal penalties, both criminal and civil.

Logon Banner Policy
Issue Date: March 8, 2005 Revision Date: 1. Policy Purpose The purpose of this policy is to inform users of their responsibilities and obligations when accessing County network and computer systems, and the impact of inappropriate use/access. In general, legal opinion is that people have to be aware of limitations and penalties before they can be held accountable. Therefore, to establish a reasonable expectation that users have been notified of the existence of acceptable use expectations, to limit the expectation of user privacy, and to be able to prosecute violators (especially under Public Laws 98-473 and 99-474), the County needs to establish a Logon Banner Policy. 2. Policy Scope This policy applies to all County employees, contractors, consultants, temporaries, and other workers, including all personnel affiliated with third parties. 3. Policy Description This document establishes County policy that all communications equipment capable of displaying system messages, must display, as the first message seen by the user, a warning that the system being accessed is a County Information System, and that access is for official use only and is subject to monitoring. The following banner contains all the necessary elements. This should be considered as the County standard logon-warning banner. “This system is for authorized use only. All activities may be recorded and monitored. There are no implicit or explicit rights to privacy using this system. Unauthorized or illegal use may be a felony offense punishable under Section 502 of the California Penal Code and/or other laws. Your use of this system indicates your acceptance of these terms” 4. Enforcement Violators of this policy may be subject to appropriate disciplinary action up to and including employment termination, termination of agreements, denial of service, and/or legal penalties, both criminal and civil.