RCIT-09 Reeves County IT Security policy

REEVES COUNTY IT SECURITY POLICY

Policy Statement:

In line with ongoing risk assessments and resource prioritization, Reeves County IT Department takes measures to safeguard information and information systems from potential threats such as errors, fraud, sabotage, privacy violations, and service interruptions. All users of Reeves County IT Department IT Resources are responsible for ensuring the protection of information from unauthorized access, modification, duplication, destruction, or disclosure. This policy provides guidelines for consistent and standardized administration of security access controls by the Reeves County IT Department across various platforms and applications to safeguard information and information systems.

Definitions:

- Reeves County IT Department IT Resources: Includes communication and storage networks, devices, and repositories administered by the Reeves County IT Department IT Department. This encompasses hardware, software, and access systems provided to users at all Reeves County IT Department locations, including owned and leased facilities.

- Reeves County IT Department Systems: Encompasses any system/application, whether hosted internally or externally accessed, by Reeves County IT Department users. For instance, Infinium, Reeves County IT Department's main Enterprise Resource Planning (ERP) application, is hosted on an IBM iSeries server.

- In-Scope Client Systems: Refers to client systems hosted and used by Reeves County IT Department at the direction of its clients. An exceptions process manages risks resulting from differences between client requirements and Reeves County IT Department IT policies.

- IT Security Team: A team within the Reeves County IT Department IT Department responsible for protecting information assets, including the Chief Information Officer (CIO), Chief Information Security Officer (CISO), Directors, Network Administrators, and other designated members.

- Users: Encompasses Reeves County IT Department employees, contractors, consultants, clients, and volunteers authorized to use IT resources.

Guidelines:

A. Roles and Responsibilities:

The IT Security Team is responsible for administering security within policy guidelines, establishing standards, managing RCIT Help Desk Support, creating/removing user accounts, developing security awareness, providing firewall administration, and evaluating risks. All IT employees must sign the Information Access and Confidentiality Agreement.

B. Control of Access to IT Resources:

Access to Reeves County IT Department Systems requires a completed RCIT Help Desk form and approval. Access is based on business needs, and role-based access controls are implemented to ensure segregation of duties.

C. Electronic Data Interchanges (EDIs):

Use of EDIs requires proper documentation and approval. Encryption software must be used when transferring or receiving Protected Information.

D. Removable Media:

The use of removable media is restricted unless owned by Reeves County IT Department, encrypted, approved by the IT Department, and the connecting computer has updated antivirus protection.

E. Protection of Information through Encryption:

Encryption standards are defined for protecting information in transit. Specific requirements for encryption algorithms, key lengths, and hashing are outlined. The use of removable media requires Advanced Encryption Standard (AES) 256-bit encryption.

F. Policy Administration and Enforcement:

The Reeves County IT Department IT Department administers and implements this policy. Exception requests can be submitted through the RCIT Help Desk procedure. Violations may result in disciplinary actions, including access restrictions, termination, and potential legal consequences.

This policy is aligned with Reeves County IT Department's commitment to information security and the responsible use of IT resources. Users are expected to adhere to these guidelines to ensure the integrity and confidentiality of information systems.