MOUNTAIN VIEW COUNTY - County council has approved a new information security policy to regulate the creation and management of information technology systems for the municipality.
The move came by way of motion at the recent regularly scheduled Mountain View County council meeting.
The policy states that it is designed to protect the county, its employees, elected officials, contractors and other authorized people from the loss, corruption and unauthorized disclosure of information, as well as the damage or impairment of technology and other digital assets owned by or entrusted to the county.
Under the policy the county will establish three principal procedures to:
• Mitigate information security risk and protect digital assets (to) safeguard employee and county information; safeguard confidentiality, integrity and availability of the network, systems, applications and data; manage and/or mitigate emerging security threats; assure leadership and stakeholders that appropriate information security practices are being executed effectively and efficiently.
• Maintain effectiveness and efficiency (to) meet the operating needs of the county in a secure manner; protect the brand and reputation of the county; and enhance the overall security environment by training and educating users;
• Meet compliance obligations (to) meet legislative and regulatory requirements.
The procedure accompanying the new policy sets out responsibilities for the chief administrative officer, directors, assistant directors, and managers. Those responsibilities include ensuring that each staff member “understands their information security-related responsibilities and acknowledges that they intend to comply with those requirements by having staff review the information security policy and procedure.”
Under the procedure, users may choose to use passwords between eight and 14 alphanumeric character in length.
“These passwords used to access general information services, such as computers, emails, WiFi must be changed every 90 days.”
The procedure also outlines such things as access control, remote access, IT security operations processes, physical and environmental security, and compliance.
“Users who fail to comply with this procedure are subject to such appropriate measures as may be determined by senior management, including but not limited to revocation of technology privileges or further disciplinary action.”
Councillors passed the motion unanimously to approve the new policy and the accompanying procedure. All councillors attended the Nov. 18 council meeting.