RCIT-13 Endpoint Security Policy

IT Reeves County Endpoint Security Policy

Policy Statement:

The IT Reeves County is committed to providing secure information technology services to enable Users to perform their duties efficiently while complying with contractual and legal obligations. Users are responsible for adhering to basic security measures on their computers and devices when accessing IT resources, as outlined in this Endpoint Security Policy.

Guidelines:

1. Data Storage and Backup:

- Users must save electronic work in the designated Remote System of record, Client repositories, or specified systems

- Local storage on individual workstations is not backed up. Users are responsible for storing files in approved locations.

2. Baseline Image for Workstations and Laptops:

- Workstations and laptops must be deployed with standard device operating systems and software images provided by the IT Department.

- Custom or nonstandard images require review and approval by the IT Department.

3. Authentication Requirements:

- Workstations, laptops, and endpoints capable of authenticating to the RC Active Directory domain must do so when connecting to or present on the RC network.

4. Software Updates:

- Devices accessing, storing, transmitting, or receiving Protected Information must use eligible operating systems and applications configured to receive ongoing security updates.

- Unsupported or end-of-life software may be denied network access.

5. Anti-Virus / Anti-Malware Protection:

- All endpoint devices, whether RC-issued or personal, must have the latest version of updates if connecting to RC IT Resources.

6. Encryption of Laptops and Portable Devices:

- Full disk encryption or device encryption must be enabled for all laptops and portable devices used in RC business.

- Exceptions require approval from the IT Department based on a risk assessment.

7. Script Execution:

- Access to scripting tools is limited to administrative or development users with approved access.

8. Personal Devices:

- Personal devices are not allowed to connect to RC’s network without prior authorization from the IT Department or designee.

- Authorized personal devices must comply with this Policy and other relevant RC Policies.

9. Automatic Logon and Logoff and Session Timeouts:

- Configuration of automatic logon/logoff and session timeouts is determined by the CIO or designee based on risk analysis and departmental consultation.

10. Physical Security:

- Endpoint devices must be secured against loss, theft, and unauthorized access.

- Devices handling Protected Information must prevent unauthorized viewing.

- Unattended unlocked devices may not be left connected to RC’s network.

11. Data Security and Protected Information:

- Measures must be taken to ensure the confidentiality, integrity, and availability of Protected Information.

- Workstations must be secured, used for authorized business purposes, and comply with Password Management, Technology Use, and Software Installation Policies.

12. Local Administrator Access:

- IT Department staff and IT Security Team have local administrator access to all workstation endpoints.

- Users with a business need for elevated access must request approval from the IT Help Desk.

13. Device Inventory:

- All endpoint devices must be registered with the IT Department.

- A detailed inventory must be conducted annually, and devices no longer in use must be disposed of following RC’s Equipment Disposal Policy.

Policy Administration and Enforcement:

- This Policy is administered and implemented by the RC IT Department.

- Violations may result in disciplinary actions, including access restrictions, termination, and potential civil and criminal liability.

- Employment terms in this Policy align with any terms in collective bargaining agreements between Reeves County and unions.