Employment Home
Equal Employment Opportunity
Examination and Certification
Pre-Employment Reviews
Drug-Free Workplace
Appointment
Compensation
Employee Benefits and Insurance
Leave Administration
Work Schedules
Training
Travel/Relocation
Employee Recognition
Employee Relations
Retirement
Layoff
Position Control and Employee Files
Risk Mgt/Health and Safety
Information Security Policy Information
Section:
Subsection:
Authorized By
Ann Edwards, County Executive
Revision History
Revised: 03/01/2023
Established: 03/01/2021
Contact
Policy and Compliance Administrator
Department of Personnel Services
Email: AskDPS@saccounty.gov
Sacramento County is dependent on the use of information technology, and communication systems for effective management of government programs that deliver services to the public and streamline internal business functions. There is constant threat to the technology world wide. To address these threats, this policy and subsequent Information Technology Security Manual (ITSM) establishes an effective, accountable, and comprehensive cybersecurity framework for the County of Sacramento. Additionally, it sets forth precedence for security and privacy controls, allowing for quantifiable auditing, assessment, reporting, and monitoring of the organization's security posture. Furthermore, it serves as an umbrella for all other information security policies and associated standards.
This policy applies to all County departments and users of County IT resources and data.
The following are definitions of some of the words and acronyms that were used in this document.
Baseline Configuration - A documented set of specifications for a system, or a configuration item within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.
Configuration Item - An aggregation of system components that is designated for configuration management and treated as a single entity in the configuration management.
Information System - A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Media - Physical devices or writing surfaces, such as flash drives or paper forms, onto which information is recorded, stored, or printed within a system.
PII - Personally Identifiable Information. Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.
Sanitize - The process of rendering access to target data on the media infeasible for a given level of effort.
SDLC - System Development Life Cycle. A process for planning, creating, testing, and deploying an information system.
Security Control - The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.
Supply Chain - A system of organizations, people, activities, information, and resources involved in supplying a product or service to a consumer. .
Supply Chain Risks - Risks related to the supply chain, such as counterfeit products or disruptions in delivery.
System - Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions.
System Component - A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware.
The Sacramento County Department of Technology shall establish and maintain an organizational Information Security Program detailed in an Information Technology Security Manual (ITSM) and published on DTECH Intranet. Those in the scope of this policy shall follow security controls presented in the ITSM. The ITSM shall be developed in alignment with the National Institute of Standards and Technology (NIST) 800-53 and include the following modules:
The purpose of Access Control is to limit (i) system access to authorized users; (ii) processes acting on behalf of authorized users; (iii) devices, including other systems; and (iv) the types of transactions and functions that authorized users are permitted to exercise.
The purpose of information security awareness, training, and education is to enhance security by (i) raising awareness of the need to protect system resources; (ii) developing skills and knowledge so system users can perform their jobs more securely; and (iii) building in-depth knowledge as needed to design, implement, or operate security programs for organizations and systems.
The purpose of Audit and Accountability is to (i) create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity; and (ii) ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable.
The purpose of Assessment, Authorization, and Monitoring is to (i) periodically assess the security controls in organizational systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems; (iii) authorize the operation of organizational systems and any associated system connections; and (iv) monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
The purpose of Configuration Management is to (i) establish and maintain baseline configurations and inventories of organizational systems, including hardware, software, firmware, and documentation throughout the respective SDLC; and (ii) establish and enforce security configuration settings for information technology products employed in organizational systems.
The purpose of Contingency Planning is to (i) establish, maintain, and effectively implement plans for emergency response, (ii) backup operations, and (iii) oversee post-disaster recovery for organizational systems to ensure the availability of critical information resources and the continuity of operations in emergency situations.
The purpose of Identification and Authentication is to (i) identify system users, processes acting on behalf of users, or devices and (ii) authenticate or verify the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational systems.
The purpose of Incident Response is to (i) establish an operational incident handling capability for organizational systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities.
The purpose of Maintenance is to (i) perform periodic and timely maintenance on organizational systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
The purpose of Media Protection is to (i) protect system media, both paper and digital; (ii) limit access to information on system media to authorized users; and (iii) sanitize or destroy system media before disposal or release for reuse.
The purpose of Physical and Environmental Protection is to (i) limit physical access to systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for systems; (iii) provide supporting utilities for systems; (iv) protect systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing systems.
The purpose of Planning is to develop, document, periodically update, and implement security plans for organizational systems that describe the security controls in place or planned for the system, as well as the rules of behavior for individuals accessing the systems.
The purpose of Program Management is to develop, document, periodically update and implement information security program plan, information security resources, plan of action and milestone process, system inventory, enterprise architecture, risk management strategy, insider threat program, and threat awareness program.
The purpose of Personnel Security is to (i) ensure that individuals occupying positions of responsibility with access to sensitive information within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
The purpose of PII Processing and Transparency is to (i) develop, document and implement controls that limit the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification or destruction of PII; (ii) reduce the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; and (iii) ensure PII is handled consistent with applicable laws and policies.
The purpose of Risk Assessment is to periodically assess the risk to organizational operations (e.g., mission, functions, image, reputation), organizational assets, and individuals, which may result from the operation of organizational systems and the associated processing, storage, or transmission of organizational information.
The purpose of System and Services Acquisition is to (i) allocate sufficient resources to adequately protect organizational systems; (ii) employ SDLC processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect the information, applications, and/or services outsourced from the organization.
Protection The purpose of System and Communications Protection is to (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of the systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
The purpose of System and Information Integrity is to (i) identify, report, and correct information and system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational systems; and (iii) monitor system security alerts and advisories and respond appropriately.
The purpose of Supply Chain Risk Management is to manage supply chain risks associated with research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of system components or services.
The purpose of Specialized Security Controls is to (i) account for security requirements not listed in other control modules; (ii) target specific requirements for specialized applications and programs like Election and Criminal Justice Information Security.
Upon completion of the ITSM, this policy and the ITSM supersede all previous Department of Technology Information Security policies and standards while maintaining County of Sacramento Policies.