Data Security Update RECEIVE AND FILE; APPROPRIATE ACTION

Transcription

1 FRESNO COUNTY EMPLOYEES RETIREMENT ASSOCIATION Donald C. Kendig, CPA Retirement Administrator BOARD OF RETIREMENT Steven J. Jolly, Chair Dr. Rod Coburn, III, Vice Chair Laura P. Basua Greg Baxter Vicki Crow Paul Dictos, CPA Robert Dowell Eulalio Gomez Mary Ann Rogozinski, Alternate DATE: October 21, 2015 TO: FROM: Board of Retirement Donald C. Kendig, CPA, Retirement Administrator STAFF CONTACT: Pat Srisukwatana and Kim Zepeda Systems and Procedures Analysts SUBJECT: Data Security Update RECEIVE AND FILE; APPROPRIATE ACTION Background and Discussion On June 17, 2015 the Board received presentations from FCERA staff, County ITSD, and from our pension administration system vendor, Tegrit. The Board directed staff to explore security options and services and to return at a later meeting with findings and recommendations. Since the Board meeting FCERA staff has been working with ITSD and Tegrit to gather more information on our current security setup and potential enhancements that can be implemented without a major impact on cost and performance of our current systems. Staff reached out to a security expert in the field for input and recommendations as well. The presentation will be about 45 minutes in total including questions from Trustees. Our goal is to provide the Board with an update on our current I.T. setup, new security enhancements implemented since our last meeting, additional opportunities/options, and present a new Data Security Policy and an updated Portable Electronic Device Policy for adoption. We also provide FCERA s Administrative Internet and Usage Policy for informational purposes. Fiscal and Financial Impacts None from the receipt of the presentation. Recommended Action(s) 1. Receive presentations from FCERA Staff; 2. Approve the proposed Data Security Policy as presented by staff, or as modified for Board directed changes; and 3. Approve the updated Portable Electronic Device Policy as presented by staff, or as modified for Board directed changes H Street, Fresno, CA 93721, Tel Fax

2 Data Security Update Page 2 Attachments 1. Data Security Policy (New) 2. Portable Electronic Device Policy 3. Portable Electronic Device Policy Red Line 4. Data Security Update Presentation 5. Administrative Internet and Usage Policy (Reference)

3 FRESNO COUNTY EMPLOYEES RETIREMENT ASSOCIATION (FCERA) DATA SECURITY POLICY I. PURPOSE The Board of Retirement (Board) of the Fresno County Employees Retirement Association (FCERA) adopts this policy to establish guidelines and procedures for the security of confidential member data. The Board and all FCERA employees are required to comply with the policies and procedures set forth in this document. II. POLICY 1) Accessing Data a) Access to member data is limited to authorized FCERA staff. b) Modification of member data may only be done by authorized FCERA staff. c) Granting and removing system access will be initiated by authorized FCERA managers. d) Any data extracted will be limited, secure, temporary, and by authorized FCERA staff. 2) Sharing Data a) At times member data that contains Personally Identifiable Information (PII) must be extracted and shared. Some examples are; actuarial valuations, yearly audits, death audits, and state and federal reporting and authorized Public Records Act requests. Secure procedures are in place for all these processes that include password security, data encryption and/or secure file transfer protocol (SFTP). Excluding these required functions, PII member data will not be transported off FCERA premises. PII member data is considered to be any data that includes SSN, birth date, name, address, or account number. 3) Storing Data a) All electronic member data will reside in the Arrivos databases hosted by InetU or in the Fresno County secure servers. b) Extracted Member data will only be stored on the Fresno County network drives. Temporary storage on desktop PCs should be cleared daily or at the end of the project/assignment. 1 P age

4 FCERA Data Security Policy c) The use of removable media such as usb drive and cd-r is limited to authorized FCERA staff. 4) Access to Building a) The Executive Assistant will maintain a list of existing authorized personnel that has access to FCERA s facility. b) With an approval of the Retirement Administrator or designee, the Executive Assistant will request access for new personnel. c) With an approval of the Retirement Administrator or designee, the Executive Assistant will request an access removal for terminated personnel. 5) Electronic Portable Devices a) Refer to FCERA Portable Electronic Device Policy. 6) Annual Security Audit a) Authorized FCERA staff will perform an annual security audit to ensure user s access is up to date on all systems. III. Policy Review 1) The Board shall review this policy at least every three years. 2) This policy was initially adopted on October 21, IV. Secretary s Certificate I, Donald Kendig, the duly appointed Secretary of the Fresno County Employees Retirement Association, hereby certify the adoption of this Policy. [Date] Date of Action: [insert signature] By: Retirement Administrator 2 P age

5 FRESNO COUNTY EMPLOYEES RETIREMENT ASSOCIATION (FCERA) PORTABLE ELECTRONIC DEVICE POLICY For the purpose of this policy, portable electronic devices are defined to include cellular phones, personal digital assistants, laptops, e-readers, netbooks, notebooks, tablets or any other electronic device capable of displaying data or images. I. Purpose: 1) This policy is intended to set forth the authorization and limitations of use of Fresno County Employees Retirement Association (FCERA) portable electronic devices. II. Scope: 1) These guidelines apply to all FCERA Board members and staff. III. Background: 1) FCERA Board packet material is extensive. Copying, delivering, and producing the packet material is expensive and contrary to environmental practices of FCERA. FCERA currently generates an electronic version of the Board packets. FCERA facilitates the offsite access and usage of this electronic version by allowing Board members and staff to use FCERA portable electronic devices to retrieve, store, edit and read the electronic Board packet. IV. Policy: Portable electronic devices are a potential security risk because they may contain private, confidential or sensitive FCERA member information, and being portable, are at risk for loss, theft, or other unauthorized access. 1) Board members and staff must understand that their authorization to periodically use FCERA portable electronic devices is limited to and for the sole purpose of conducting FCERA business and not for personal use. Board members and staff have no expectation of privacy 2) FCERA portable electronic devices are not solely assigned to individual Board members and staff but are resources to be used on an as needed basis and will be rotated amongst Board members and staff in accordance with FCERA s business needs. FCERA is entitled to and will require such devices to be returned to FCERA for routine maintenance and to ensure that they are being used only in a manner that is consistent with these policies. Board and staff members must return FCERA portable electronic devices to the FCERA Administrator upon their termination of Board membership or FCERA employment. 3) Board members and staff will not permit anyone else to use this FCERA property for any purpose. 1 P age

6 FCERA Portable Electronic Device Policy 4) Only the electronic versions of the Board packets will be downloaded to FCERA portable electronic devises. No other data or programs may be downloaded to FCERA portable electronic devices for any purpose, without prior written authorization from the FCERA Administrator. 5) Board members and staff who have an assigned portable electronic device are responsible for the security of the device, all associated equipment and all data. Board members and staff must immediately report any lost or stolen FCERA portable electronic equipment or data to the Administrator as soon as such loss or theft is discovered. If a member of the Board or staff loses or damages a portable electronic device and requests a replacement, the Board will decide at an open meeting whether to replace the lost or damaged portable electronic device. 6) FCERA portable electronic devices may remotely access the FCERA network only through secure remote access systems maintained by FCERA. 7) The electronic versions of the Board packets may not be transferred from FCERA portable electronic devices to any other electronic devices for any purpose. 8) In order to avoid inadvertent violations of open meeting laws, the Board members may not use portable electronic devices (whether issued by FCERA or otherwise) to communicate with each other during a meeting of the Board. Further, consistent with law and FCERA s other policies, a majority of the Board members may not communicate with each other (either at the same time or serially) regarding FCERA matters, outside of noticed Board meetings. 9) The Board may further condition or revoke the privilege of using a portable electronic device at any time. 10) FCERA portable electronic devices should not access unprotected public wifi. V. Policy History 1) This policy was adopted by the Board on September 7, ) This policy was reviewed and amended by the Board on October 21, VI. Secretary s Certificate I, Donald Kendig, the duly appointed Secretary of the Fresno County Employees Retirement Association, hereby certify the adoption of this Policy. [Date] Date of Action: By: Retirement Administrator 2 P age

7 FRESNO COUNTY EMPLOYEES RETIREMENT ASSOCIATION (FCERA) PORTABLE ELECTRONIC DEVICE POLICY For the purpose of this policy, portable electronic devices are defined to include cellular phones, personal digital assistants, laptops, e-readers, netbooks, notebooks, tablets or any other electronic device capable of displaying data or images. I. Purpose: 1) This policy is intended to set forth the authorization and limitations of use of Fresno County Employees Retirement Association ( FCERA ) portable electronic devices. II. Scope: 1) These guidelines apply to all FCERA Board members and staff. III. Background: 1) FCERA Board packet material is extensive. Copying, delivering, and producing the packet material is expensive and contrary to environmental practices of FCERA. FCERA currently generates an electronic version of the Board packets. FCERA would like to facilitates the offsite access and usage of this electronic version by allowing Board members and staff to use FCERA portable electronic devices to retrieve, store, edit and read the electronic Board packet. IV. Policy: Portable electronic devices are a potential security risk because they may contain private, confidential or sensitive FCERA member information, and being portable, are at risk for loss, theft, or other unauthorized access. Further, portable electronic devices may be more vulnerable to viruses and other such threats because the user may not regularly use virus protection software and other safeguards available to FCERA desktop computers. 1) Board members and staff must understand that their authorization to periodically use FCERA portable electronic devices, associated equipment and software ( FCERA portable electronic devices ) is limited to and for the sole purpose of conducting FCERA business and not for personal use. Board members and staff further understand that they have no expectation of privacy with regard to their use of such devices. 2) FCERA portable electronic devices are not solely assigned to individual Board members and staff but are resources to be used on an as needed basis and will be rotated amongst Board members and staff in accordance with FCERA s business needs. FCERA is entitled to and will require such devices to be returned to FCERA for routine maintenance and to ensure that they are being used only in a manner that is consistent with these policies. Board and staff members must return FCERA portable electronic 1 P age

8 FCERA [Name of Policy]Portable Electronic Device Policy devices to the FCERA Administrator upon their termination of Board membership or FCERA employment. 3) FCERA portable electronic devices are not for the personal use of the Board member or staff employee or any other person or entity. Board members and staff will not permit anyone else to use this FCERA property for any purpose. 4) Only the electronic versions of the Board packets will be downloaded to FCERA portable electronic devises. No other data or programs may be downloaded to FCERA portable electronic devices for any purpose, without prior written authorization from the FCERA Administrator. 5) Board members and staff who have an assigned portable electronic device are responsible for the security of the device, all associated equipment and all data. Board members and staff must immediately report any lost or stolen FCERA portable electronic equipment or data to the Administrator as soon as such loss or theft is discovered. If a member of the Board or staff loses or damages a portable electronic device and requests a replacement, the Board will decide at an open meeting whether to replace the lost or damaged portable electronic device. 6) FCERA portable electronic devices may remotely access the FCERA network only through secure remote access systems maintained by FCERA. 7) The electronic versions of the Board packets may not be transferred from FCERA portable electronic devices to any other electronic devices for any purpose. 8) In order to avoid inadvertent violations of open meeting laws, the Board members may not use portable electronic devices (whether issued by FCERA or otherwise) to communicate with each other during a meeting of the Board. Further, consistent with law and FCERA s other policies, a majority of the Board members may not communicate with each other (either at the same time or serially) regarding FCERA matters, outside of noticed Board meetings. 9) The Board may further condition or revoke the privilege of using a portable electronic device at any time. 10) FCERA portable electronic devices should not access unprotected public wifi. V. Policy History 1) This policy was adopted by the Board on September 7, )2) This policy was reviewed and amended by the Board on October 21, Formatted: English (U.S.) VI. Secretary s Certificate 2 P age

9 FCERA [Name of Policy]Portable Electronic Device Policy I, Donald Kendig, the duly appointed Secretary of the Fresno County Employees Retirement Association, hereby certify the adoption of this Policy. [Date] Date of Action: [insert signature] By: Retirement Administrator 3 P age

10 Data Security Updates Presented by Pat Srisukwatana Kim Zepeda

11 Presentation Overview Overview of current system Data Security Model Additional opportunities Questions from the Board

12

13 Overview of Current System Two logical entities that host FCERA member data Tegrit/InetU Pension Administration System County ITSD General Ledger System, Document Imaging System, Network Drives, Network Security, and

14 Data Security Model Parameter Controls User level Control Member Data Data Security Policies User Training and Awareness

15 Data Security Model Parameter Controls User level Control Member Data Data Security Policies User Training

16

17 Parameter Control Firewalls Network Activity Monitoring Physical Access Control Virus Protection Secure Network Connectivity

18 Data Security Model Parameter Controls User level Control Member Data Data Security Policies User Training

19

20 User Level Control User roles and groups Enhanced password and password reset User audit trails PC lock* USB/CD Rom disabling* Encryption of removable devices*

21 Data Security Model Parameter Controls User level Control Member Data Data Security Policies User Training and Awareness

22

23 User Training Quarterly Staff Training Ongoing Security Awareness Newsletter Articles on Security

24 Data Security Model Parameter Controls User level Control Member Data Data Security Policies User Training

25

26 Data Security Policies and Procedures FCERA Data Security Policy Portable Electronic Device Policy Data Breach Notification Procedure Ongoing/Annual Audit of User Roles

27 Data Security Model Parameter Controls User level Control Member Data Data Security Policies User Training and Awareness

28 Additional Opportunities Update existing password policy in our pension administration system Encryption of pension administration system data Encryption of OnBase image file Find and work with a data breach notification vendor to create a Data Breach Notification Procedure

29

30 Information Security Summary It s Everyone s Summary Remember Protect your password Lock your console session when away Do not leave sensitive data in open view Store data in a secure directory Do not discuss sensitive information via or in public Practice safe computing Protect the client s data and information like it was your own Your job and your organization s reputation depend on your dependability and your trustworthiness

31 Questions?

32 FRESNO COUNTY EMPLOYEES RETIREMENT ASSOCIATION (FCERA) INTERNET AND USAGE POLICY I. Overview: The Fresno County Employees' Retirement Association (FCERA) provides access to the Internet to help employees do their jobs. This Internet and Usage Administrative Policy is designed to help employees understand management's expectations for the use of Internet, Intranet, and electronic mail (Internet), and to help employees use those resources wisely. The Internet for FCERA is a business tool, provided to improve efficiency. FCERA expects employees to use the access primarily for business-related purposes, i.e., to communicate with members and other retirement associations, to research relevant topics and obtain useful business information. FCERA insists that employees conduct themselves honestly and appropriately on the Internet, and respect the copyrights, software licensing rules, property rights, privacy and prerogative of others, just as they would in any other business dealings. To be absolutely clear on this point, all existing FCERA policies apply to employees' conduct on the Internet, especially but not exclusively, those that deal with intellectual property protections, privacy, misuse of FCERA resources, sexual harassment, information and data security, and confidentiality. Unnecessary or unauthorized Internet usage causes network and server congestion. It slows other users, takes away from work time, consumes supplies, and ties up printers and other shared resources. Unlawful Internet usage may also garner negative publicity for FCERA and expose the organization to significant legal liabilities. Access to electronic communications gives each user an immense and unprecedented ability to propagate FCERA messages. Because of that power, employees must take special care to maintain the clarity, consistency and integrity of FCERA's image and posture. Anything any one employee writes in the course of acting for FCERA on the Internet could be taken as representing FCERA's public posture. The overriding principle in developing this policy is that security and confidentiality of data is to be everyone's first concern. FCERA employees can be held accountable for any breaches of security or confidentially. II. Definitions: 1) Document any type of file that can be read on a computer screen as if it were a printed page, including WORD or EXCEL files, HTML files read in an Internet browser, any file meant to be accessed by a word processing or desktop publishing program or its view, or the files prepared for the Adobe Acrobat reader and other electronic publishing tools. 2) Graphics includes photographs, pictures, animations, movies or drawings. 1 P age

33 FCERA Internet and Usage Policy 3) FCERA includes the Fresno County Employees Retirement Association and the Board of Retirement, the Retirement Administrator, Chief Accountant, Retirement Supervisor, and the Senior Accountant. III. Internet Usage Policy Provisions: 1) New employees are provided a copy of the Usage Policy established by the County of Fresno ITSD (Appendix I), the Confidentiality Non-Disclosure Statement (Appendix II), and the FCERA Internet and Usage Policy when they begin employment with FCERA. 2) Employees are to limit Internet usage to that required to conduct the business of FCERA in an efficient manner. 3) FCERA has software and systems in place that record all Internet usage. Our security systems are capable of recording for each and every user each World Wide Web site visit and each message into and out of our networks and FCERA reserves the right to do so at any time. No employee should have any expectation of privacy as to his or her Internet usage. Our managers will review Internet activity, including activity, and analyze usage patterns. Inappropriate use of the computer network will be reported to the Retirement Administrator or his/her designee for evaluation and determination of appropriate action. 4) FCERA reserves the right to inspect any and all files stored in private areas of our network in order to assure compliance with the policy. Employees have no expectation of privacy, both internally and externally, when using FCERA computer network. is similar to a postcard, available for all to read. files are backed up nightly and are retained for approximately one year. Deleting an from an in-box does not delete the trail that delivered the . 5) The display of any kind of sexually explicit image or document on any FCERA system is a violation of our policy on sexual harassment. In addition, sexually explicit material may not be archived, stored, distributed, edited or recorded using our network or computing resources. 6) FCERA uses independently supplied software to identify inappropriate or sexually explicit Internet sites. FCERA may block access from within our networks to all such sites. If employees find themselves connected accidentally to a site that contains sexually explicit or offensive material, they must disconnect from that site immediately, regardless of whether or not that site had been previously deemed unacceptable by any screening or rating program. 7) FCERA's Internet facilities and computing resources must not be used to violate the laws and regulation of the United States or any other nation, or the laws and regulations of any state, city, province or other local jurisdiction in any material way. Use of any FCERA 2 P age

34 FCERA Internet and Usage Policy resources for illegal activity is grounds for immediate dismissal and FCERA will cooperate with law enforcement activity as needed. 8) Any software or files downloaded via the Internet into FCERA network become the property of FCERA. Any such files or software may be used only in ways that are consistent with their licenses or copyrights. 9) No employee may use FCERA facilities to download or distribute pirated software or data. 10) No employee may use FCERA's Internet facilities to propagate any virus, worm, Trojan horse, trap door program code or other forms of sabotage. 11) No employee may use FCERA's Internet facilities to disable or overload any computer system or network, or to circumvent any system intended to protect the privacy or security of another user. 12) Each employee using the Internet facilities of FCERA shall identify himself or herself honestly, accurately and completely including one's FCERA affiliation and function, when setting up accounts on outside computer systems. 13) Employees are not to participate in unauthorized mass mailings, online gaming or gambling, stock trading, commerce for personal gain, dissemination of vulgar, racist, or obscene material, violations of copyright law, leaking sensitive or confidential information or attempting to hack into another system. 14) Only the Retirement Administrator or his/her designee is authorized to speak to the media, to analysts or at public gathering on behalf of FCERA. Employees may speak/write in the name of FCERA in electronic communications only to the extent authorized by the Retirement Administrator or his/her designee. Users must refrain from any political advocacy and must refrain from the unauthorized endorsement or appearance of endorsement by FCERA of any person, product, or service. 15) FCERA retains ownership of any material posted on the Internet by any employee in the course of his or her duties. 16) Employees are reminded that it is inappropriate to reveal confidential FCERA information, member data, trade secrets and any other material covered by existing FCERA confidentiality policies and procedures on the Internet. Employees releasing such confidential information whether or not the release is inadvertent will be subject to the penalties provided in existing FCERA policies and procedures. 17) Use of FCERA Internet access facilities to commit infractions such as misuse of FCERA assets or resources, sexual harassment, unauthorized public speaking and misappropriation of intellectual property are also prohibited by FCERA policy and will be 3 P age

35 FCERA Internet and Usage Policy sanctioned under the relevant provision of the County of Fresno Salary Resolution and Personnel Rules and any relevant Memorandums of Understanding. 18) Because a wide variety of materials may be considered offensive by colleagues, members or suppliers, it is a violation of FCERA policy to store, view, print or redistribute any document or graphic file that is not directly related to the user's job or FCERA's business activities. 19) Employees with Internet access must take particular care to understand the copyright, trademark, libel, slander and public speech control laws so that use of the Internet does not inadvertently violate any laws which might be enforceable against FCERA. 20) Employees with Internet access may download only software with direct business use and must arrange to have such software properly licensed and registered. Downloaded software must be used only under the terms of its license. 21) Employees with Internet access may not use FCERA Internet facilities to download entertainment software or games, or to play games against opponents over the Internet. 22) Employees with Internet access may not use FCERA Internet facilities to download images or videos unless there is an express business-related use for the material. 23) Employees with Internet access may not upload any software licensed to FCERA or data owned or licensed by FCERA without the express authorization of the Retirement Administrator or his/her designee. 24) User IDs and passwords help maintain individual accountability for Internet resource usage. Any employee who obtains a password or ID for an Internet resource from FCERA must keep that password confidential. FCERA's policy prohibits the sharing of user IDs or passwords obtained to access to Internet sites. Management reserves the right to the passwords for all data stored on its computers. There will be no file(s), programs or data that cannot be accessed by appropriate management personnel. 25) The record retention requirements shall apply to all records obtained or received via the Internet. Employees shall determine whether to preserve or delete the material and communications consistent with the record retention schedule and records retention policy. The record retention policy is available to any employee upon request. 26) Employees should not assume that any data or databases are automatically subject to public inspection under the California Public Records. There are numerous exclusions to this law, and such data may not be forwarded, uploaded, or otherwise transmitted to non-fcera entities without appropriate approval. The Public Requests for Information Policy adopted by the governing board of FCERA requires the approval of the Retirement Administrator or his/her designee before releasing any data. 4 P age

36 FCERA Internet and Usage Policy 27) Personal use of the computer, Internet, and should be limited. Any employee who uses FCERA's computer systems for personal use does so at his/her own risk, as all transmissions and files stored on a FCERA computer are the sole property of FCERA. 28) Employees should schedule communications-intensive operations such as large file transfers, video downloads and the like, for off-peak times. 29) Any file that is downloaded must be scanned for viruses before it is run or accessed. 30) Video and audio streaming and downloading technologies represent significant data traffic that can cause local network congestion. Video and audio downloading should not be performed without prior authorization of the Retirement Administrator or his/her designee. 31) Each employee is responsible for any unauthorized Internet usage that occurs under his/her password or ID. 32) FCERA has installed an Internet firewall to assure the safety and security of FCERA's network. Any employee who attempts to disable, defeat or circumvent any FCERA security facility will be subject to immediate dismissal. 33) Files containing sensitive FCERA data, as defined by existing FCERA data security policy, which are transferred in any way across the Internet must be encrypted. 34) Only those Internet services and functions with documented business purposes for FCERA will be enabled at the Internet firewall. IV. Secretary s Certificate I, Donald Kendig, the duly appointed Secretary of the Fresno County Employees Retirement Association, hereby certify the adoption of this internal administrative policy. October 14, 2015 Date of Action: By: Retirement Administrator 5 P age

37 FCERA Internet and Usage Policy Acknowledgement: I acknowledge that I have received a written copy of the Internet and Usage Policy for FCERA. I realize that FCERA's security software may record and store for management use the electronic message I send and receive, the Internet address of any site that I visit, and any network activity in which I transmit or receive any kind of file. I understand that abuse of the Internet access provided by FCERA in violation of law or FCERA policies will result in disciplinary action, up to and including my dismissal from employment or even criminal prosecution. I understand that I may be held personally liable for any violations of this policy. I understand the terms of this policy and agree to abide by them. Signature Witness Printed Name Printed Name Date Date 6 P age

38 Appendix I County Permissions Each Outlook user has been granted a mailbox with the storage capacity of 500 MB. Additional storage can be requested, however be aware that storage charges will also increase. The size of the files that can be sent or received has been restricted to 15 MB each. County Policies facilities have been provided to support business related research, service activities and associated administrative functions. Users are reminded that is a County facility, and as such, use must fit the test of County business use. Any use of the facilities that results in interference with these activities and functions of the County is improper. Incoming messages will be scanned at the server by virus checking software and by other malign content software. The following prohibited uses are presented as examples of prohibitions, but are not necessarily all inclusive. Use of facilities for commercial or private business purposes. Use of that unreasonably interferes with or threatens other individuals, groups or entities. Use of that degrades or demeans other individuals. Use of to distribute hoaxes, chain letters, or advertisements; and/or to send rude, obscene or harassing messages. To propagate viruses, knowingly or maliciously. To send, forward and/or reply to large distribution lists concerning non-county business. Transmission of copyrighted material including software, research data and manuscripts without the consent of the copyright holder is strictly prohibited.

39 Confidential or sensitive information may only be sent by e- mail when the or attachment conforms to the County s encryption policy. See Management Directive Outbound messages will be spot-checked to assure that this policy is being followed. (The county policies information can be found in the Fresno County Administrative Officer s Management Directives 1380 Acceptable Use Policy Section Guidelines for Use of County Facility). County Restrictions A program is in place that can filter out spam, block specific , and trap such as password protected, music, and movie files and quarantine them for appropriate processing. This does not necessarily mean that these s cannot be sent or received, just that if caught they will be opened for business content verification before being sent on or deleted. (NOTE: sending any media file not business related outside the county will result in your mailbox being disabled.) Attachments Attaching files to is convenient, quick and easy way to share a wealth of information. Unfortunately, this convenience also makes it easy for unscrupulous users to share bad things like viruses or worms. Sometimes just the presence of a picture in a message can allow someone to have access to your private information without your knowledge. In order to open an attachment, another program must be started so that you can view the contents of the attachment. Often, it's that action of starting a program that creates an opportunity for harm. Attached files can also contain macros or other code that can harm your computer. Another chance for harm occurs when you view or download a picture in a message as you could at the same time be sending information that you don't intend to send. Note: Attachments are stored with the messages they're attached to. That means that, unless you remove them, attachments live in your mailbox where they take up space.

40 Does the message in the picture look familiar? It's a message about a blocked attachment. You may already be aware that not all types of attachments can be opened in Outlook. Because of their enormous potential to do harm, Outlook now blocks certain file types automatically. Examples of blocked file types include executable files (.exe, as shown in the picture), batch processing files (.bat), and active server page (.asp) files and database files (.mdb). This blocking helps protect your computer from viruses and cannot be changed. Although this enforced blocking makes file sharing less convenient, you should be aware that you can still use to share any file type with trusted friends and colleagues you ll just need to take a few extra steps for the sake of enhanced security. Remember that if the people you send to are also using Outlook, they will have some file types blocked automatically. They'll receive your with an annoying message that says that the file was blocked. Zip it, Link it, or Rename it However, that doesn't mean that you can't send these types of file to them. You'll just need to take some additional steps before you send the file. Here are some options you have for sending a file that would otherwise be blocked:

41 Zip it use a zip program to package files before you attach them to your e- mail message. In your message, you can include instructions explaining how to extract the files from the package to make it easy for recipients to access the files. Put it on a server and link to it in your message, you can include a link to the server that you have given the recipients access to. Rename it for example, you might rename file.exe to file.txt, and then attach the file to the message. You can include instructions in the message for the recipient to save the file with the correct name, file.exe. The key point to remember here is that you should only open files that you expected from someone. Microsoft Restrictions Below is a complete list of files that Microsoft Outlook blocks and cannot be changed by County of Fresno policies. File extension ade adp app asp bas bat cer chm cmd com cpl crt csh exe fxp hlp hta inf File type Access Project Extension (Microsoft) Access Project (Microsoft) Executable Application Active Server Page BASIC Source Code Batch Processing Internet Security Certificate File Compiled HTML Help DOS CP/M Command File, Command File for Windows NT Command Windows Control Panel Extension (Microsoft) Certificate File csh Script Executable File FoxPro Compiled Source (Microsoft) Windows Help File Hypertext Application Information or Setup File

42 File extension ins isp its js jse ksh lnk mad maf mag mam maq mar mas mat mau mav maw mda mdb mde mdt mdw mdz msc msi msp mst ops pcd pif prf prg pst reg scf scr sct shb shs File type IIS Internet Communications Settings (Microsoft) IIS Internet Service Provider Settings (Microsoft) Internet Document Set, Internet Translation JavaScript Source Code JScript Encoded Script File UNIX Shell Script Windows Shortcut File Access Module Shortcut (Microsoft) Access (Microsoft) Access Diagram Shortcut (Microsoft) Access Macro Shortcut (Microsoft) Access Query Shortcut (Microsoft) Access Report Shortcut (Microsoft) Access Stored Procedures (Microsoft) Access Table Shortcut (Microsoft) Access Shortcut (Microsoft) Access View Shortcut (Microsoft) Access Data Access Page (Microsoft) Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft) Access Application (Microsoft), MDB Access Database (Microsoft) Access MDE Database File (Microsoft) Access Add-in Data (Microsoft) Access Workgroup Information (Microsoft) Access Wizard Template (Microsoft) Microsoft Management Console Snap-in Control File (Microsoft) Windows Installer File (Microsoft) Windows Installer Patch Windows SDK Setup Transform Script Office Profile Settings File Visual Test (Microsoft) Windows Program Information File (Microsoft) Windows System File Program File MS Exchange Address Book File, Outlook Personal Folder File (Microsoft) Registration Information/Key for W95/98, Registry Data File Windows Explorer Command Windows Screen Saver Windows Script Component, Foxpro Screen (Microsoft) Windows Shortcut into a Document Shell Scrap Object File

43 File extension tmp url vb vbe vbs vsmacros vss vst vsw ws wsc wsf wsh File type Temporary File/Folder Internet Location VBScript File or Any VisualBasic Source VBScript Encoded Script File VBScript Script File, Visual Basic for Applications Script Visual Studio.NET Binary-based Macro Project (Microsoft) Visio Stencil (Microsoft) Visio Template (Microsoft) Visio Workspace File (Microsoft) Windows Script File Windows Script Component Windows Script File Windows Script Host Settings File

44 FRESNO COUNTY EMPLOYEES RETIREMENT ASSOCIATION APPENDIX II Donald C. Kendig, CPA Retirement Administrator CONFIDENTIALITY NON-DISCLOSURE STATEMENT I,, acknowledge that I am aware my Department Head retains a copy of Fresno County s Information Technology and Telecommunications Security Policy (Appendix A) to which I can have access at any time. I have been afforded an opportunity to discuss said policy with my supervisor, and any questions concerning the County Information Security Policy have been answered. I further acknowledge and understand that: A. The County has sole ownership of all data, files, and software stored on any County computer equipment or computer media, including transferable media such as diskettes and tapes and all information stored on paper, tape recordings, film or fiche. B. The County has an unrestricted right of access to and disclosure of all County owned information regardless of where or how it is stored. C. I will provide access to all files or data to the appropriate County official(s) on request and I will not transfer, share, publish, or disclose the County owned information to anyone not authorized by the County. D. I will not disclose confidential information to other persons. EMPLOYEE SIGNATURE DATE WITNESS SIGNATURE DATE 1111 H Street, Fresno, CA 93721, Tel Fax

45 Appendix A Fresno County Board of Supervisors POLICY STATEMENT ADMINISTRATIVE POLICY NUMBER 49 Information Technology and Telecommunications Security Policy Effective Date: November 26, 2002 The County s Information Technology (IT) telecommunications environment includes IT communications infrastructure, information processing, voice telecommunication, video, imaging and data systems employed by the County s departmental business functions. It is the County s policy that an IT Security Program provide for a business-appropriate level of security and protection in order to prevent loss, destruction, corruption, misappropriation or misuse of information, data and/or computing resources. As departments increasingly move business processes from paper to technology, routine responsibilities for assuring security of data, privacy and confidentiality are no longer satisfied with paper controls. Responsibility for technology-based security, privacy and confidentiality controls expands in this new business environment to include every individual employed in Fresno County government who uses a computer or telecommunications device. The security of Fresno County s IT telecommunications environment is dependent upon effective tools and informed individuals. POLICY PROVISIONS A. Information Technology security measures having the highest priority encompass enterprise-wide systems and mission-critical business functions, business applications/systems and operations. Mission-critical systems are those that support public safety, health and welfare, and financial data. Within that overall framework, the level of IT security investment is deemed to be a business or risk-based decision-making process. The issues to be considered are: The Federal and State laws/regulations and/or County ordinances that govern protection of the County s information. The sensitive or confidential nature of the information. The mission-critical nature of the business function/business process. The potential risk exposure. The risk occurrence that would most likely be created by an IT security failure. The potential cost of such risk occurrence. AP 49 PAGE 1 OF 2

46 Number 49 Information Technology and Telecommunications Security Policy Effective Date: November 26, 2002 Page 2 of 2 B. Guarding against the potential risk that County government operations might be severely disrupted during a technical outage or man-made or natural disaster is a critical element of the County s IT Security Policy. Appropriate risk management plans addressing the areas of operational recovery, disaster recovery and business continuity, must be in place to maintain prescribed operations and service levels. C. Constituents and business partners must be assured that their privacy and confidentiality, including personal, health and financial information, will not be abused when doing business with the County through any medium. D. Security measures that appropriately protect information and data that is deemed nonpublic under the Public Records Act must be in place as a component of the County s IT Security Program. Requests for public records will be managed according to the County s Public Records Policy. E. Security measures must be in place to assure the integrity of financial transactions and protect County and personal financial information. F. Business-appropriate security measures will be taken to protect the County s information, data, and computing resources, as well as the privacy and confidentiality of those with whom the County does business in all Internet based e-government or e- Commerce business applications. G. The Internet may not be used for any outside business activity, unethical or unlawful activity. Misuse of the Internet will result in disciplinary action. H. is available to employees to enhance their personal productivity when carrying out County-assigned job responsibilities. Misuse of the facility will result in disciplinary action. I. The County s Web Site offers the County an opportunity to interface efficiently and effectively with the County s business, civic and constituent communities. Government service web-based offerings must be designed and implemented in such a way that they do not compromise the County s IT security methodologies. J. In the case of Internet-based business applications, departments must post privacy policies on principal web sites, as well as at any other known, major entry points to sites and at any web page where substantial amounts of personal information are collected. K. Appropriate security measures must be in place to assure that telephone networks are not a point of entry through which the County s data and computing resources can be compromised. L. All new County employees must receive training on the County s IT Communications Security Policies prior to being granted access to any County information system. MANAGEMENT RESPONSIBILITIES The County s Chief Information Officer (CIO) is responsible for implementing and managing the County s IT communications security program in collaboration with user departments in the development of the security framework, best practices, standards and procedures. Compliance with this IT Communications Security Policy and Management Directives, is a Countywide responsibility. Managers and employees will be held accountable individually for such compliance. AP 49 PAGE 2 OF 2