Loading...
HomeMy WebLinkAboutPOL-018-23 Network Security COUNTY OF NEWELL - POLICY HANDBOOK POLICY NO: POL-018-23 TITLE: NETWORK SECURITY ADOPTED: March 9, 2023 (C-71/23) SUPERCEDES NO: 2014-PAD-065 PAGE NO: 1 of 3 POLICY PURPOSE: The purpose of this policy is to protect the integrity of the County’s network, to mitigate the risks and losses associated with security threats to the County Information Technology (IT) infrastructure, both internal and external, and to ensure secure and reliable network access and performance. This policy applies to all who access the County’s network, including, but not limited to all County rd employees, 3 party contractors, consultants, and partners. This policy also applies to all computer and data communication systems owned by or administered by the or its partners. DEFINITIONS: Network is a collection of computers, servers, mainframes, network devices, peripherals or other devices connected to allow data sharing. Network Security a set of practices and configurations that uses a variety of technologies, devices, and processes designed to protect the integrity, confidentiality and accessibility of computer networks and data. Network security consists of 3 different types of controls: physical, technical, and administrative. Each control can serve a different function: preventative, detective, or corrective. See Figure 2 for examples of IT security controls and the function they serve. IT Security Controls measures put in place to avoid, detect, counteract, or minimize security risks to IT Infrastructure. These controls can be physical, technical, or administrative. Security controls can function as preventative, detective, or corrective. Users all authorized users of the County network, including, but not limited to employees, Elected Officials, 3rd party contractors, consultants, and partners. IT Infrastructure Preventative Maintenance and Security Plan is a plan prepared by and for the IT Department and approved by the Executive Leadership Team that details the preventative maintenance tasks, security controls and backup retention schedules. The IT Department executes the plan annually to meet corporate expectations and legislated requirements. Classifications and Examples: External facing systems and information. This includes search engine results and social External media. Perimeter Firewalls, Secure Web Gateway (SWG), Secure Email Gateway (SEG) Network Switches, Hub's, Routers, WAP's Repeaters, Media Convertors Physical hardware of computing device (Servers, PC's, Tablet, Trimble Devices, Phones, Host etc.) Operating System (O/S)Server 2012, Windows 10, iOS, Android, Linux, Device Specific O/S (QNAP, NetApp) SQL server 2017 standard, Microsoft Dynamics, ESRI ArcGIS Suite, Adobe Creative Suite, Application Laserfiche POL-018-23 Data Files, Databases, Electronic/Digital Messages, Repositories NETWORK SECURITY Page 2 of 3 POLICY GUIDELINES: IT Security Controls shall be applied in an appropriate, cost-effective manner throughout the various layers of the Classification Model. Figure 1: Classification Model POL-018-23 NETWORK SECURITY Page 3 of 3 Figure 2: Network Security Controls Source: https://www.f5.com/labs/articles/education/what-are-security-controls ROLES & RESPONSIBILITIES: IT Department  Establishing, maintaining, implementing, administering, and interpreting organization-wide information systems security policies, processes, and procedures.  Reviewing, updating, and delivering the service levels defined within the IT Infrastructure Preventative Maintenance and Security Plan.  Provide specific guidance, direction, and authority for information security. Directors, Managers, Supervisors  Identify the level of network access for each User that reports to them.  Where corrective action is required, ensure actions are identified and completed.  Ensuring that IT security controls are observed in their areas, allocating sufficient resources and staff time to meet the requirements of the IT security controls.  Ensuring that all users are aware of the County policies, processes, and procedures related to computer systems and network access and security. Users  Following the policies, processes, and procedures defining computer and network access and security.  Follow training guidelines and working within security controls.  Reporting all known and suspected information security vulnerabilities and/or violations to the IT department.