HomeMy WebLinkAboutMINUTES - 11141995 - C61 ti0: BOARD OF SliPERVISORS ,�;SE�`-•o,
Contra
FROM: Phil Batchelor, County Administrator Costa
Count/
DATE: November 2, 1995 °os;• N `'
a �o�
SUBJECT: County Computer Use and Data
SPECIFIC REQUEST(S)OR RECOMMENDATION(S)&BACKGROUND AND JUSTIFICATION
I. RECOMMENDED ACTION:
Approve and authorize the Chair of the Board of Supervisors to implement the revised
Contra Costa County Computer Use and Data policy. This policy replaces the September
29, 1987, Personal Computer Use Policy.
II. FINANCIAL IMPACT:
There may be a slight increase in departmental administrative costs for requirements in
reviewing departmental software inventories. There may be a decrease in costs through
economy of scale in employing site licensing agreements with commercial software
vendors.
III, REASON FOR RECOMMENDATION AND BACKGROUND:
There has been massive growth in the use of both mainframe access and desktop
technology in Contra Costa County. While the use of computers in the County has added
new solutions to completing employee workload more efficiently, it has also led to
increased confusion with respect to following issues: employee privacy rights, ownership
of equipment, software and software applications developed on County time for County
business reasons, the actual data employed in the completion of County business,
commercial software vendors' policies regarding the legal licensing and use of their
software and computer applications. While it is important for the County to continue to
exploit the innovation brought about by technology, it is also imperative the County
remain in step with appropriate business standards and policies required to protect security
controls, computer user rights and responsibilities, and computer use policies.
CONTINUED ON ATTACHMENT: _ YES SIGNATURE:
RECOMMENDATION OF COUNTY ADMINISTRATOR RECOMMENDATION OF BOARD COMMITTEE
APPROVE OTHER
SIGNATURE(S):
ACTION OF BOARD ON November 14, 1995 APPROVED AS RECOMMENDED X OTHER
IT IS BY THE BOARD ORDERED that Resolution No. 95/560 is ADOPTED
and the above recommendation is APPROVED.
VOTE OF SUPERVISORS
I HEREBY CERTIFY THAT THIS IS A TRUE
_UNANIMOUS(ABSENTnQiie ) AND CORRECT COPY OF AN ACTION TAKEN
AYES: NOES: AND ENTERED ON THE MINUTES OF THE BOARD
ABSENT: ABSTAIN: OF SUPERVISORS ON THE DATE SHOWN.
CC: ATTESTED November 14, 1995
PHIL BATCHELOR,CLERK OF THE BOARD OF
SUPERVISORS AND COUNTY ADMINISTRATOR
All copies to Data Processing Services
M382 (10/88) BY ,DEPUTY
This policy brings the County up-to-date with the latest business and technology
standards/practices used in the United States today.
The County's initial personal computer use policy was written in 1987, when desktop
technology was not widely used in the business environment. Personal computers are now
prolific and are employed in most all facets of County business, from office workers to
"in-the-field" use. This trend will continue into the future. This change in policy reflects
the change in the County's use of desktop technology in doing business, and sets a policy
direction for the use of all County computer equipment and software.
IV, CONSEQUENCES OF NEGATIVE ACTION:
There is potential for serious computer security violations, and also legal liability to the
County for failure to have an active anti-software piracy policy in place.
THE BOARD OF SUPERVISORS OF CONTRA COSTA COUNTY, CALIFORNIA
Adopted this Order onNovember 14 , 1995, by the following vote:
AYES: Supervisors Rogers, Smith, DeSaulnier, Torlakson and Bishop
NOES: None
ABSENT: None
ABSTAIN: None
SUBJECT: In the Matter of: )
County Computer use ) RESOLUTION NO. 95/ 56o
and data )
Upon the recommendation of the County Administrator, the Contra Costa
County Board of Supervisors in its capacity as governing board of the
County of Contra Costa and of all the Districts and agencies of which it is
the ex-officio governing board,
Resolves that:
This resolution supersedes the Board' s September 29, 1987 order on
personal computer use. The following policies govern the use of Contra
Costa County computers and computer data. The County Administrator is
authorized to adopt regulations on the implementation of these policies :
1. Employees are to be encouraged to use personal computers in County
departments to promote greater staff productivity.
2 . The equipment, software, programs and all County data developed
and/or entered on County computers and County data entered on home
computers is property of the County.
3. Subject to applicable legal privileges and confidentiality
requirements, all County data entered on County computers and County data
entered on home computers is not private and is subject to disclosure upon
the demand of authorized County officers at any time.
4 . County policies on the use of personal computers, software,
software licensing and other desktop technology are expressed in
attachments one and two hereto.
5 . Department heads shall inform County employees of and review, on
an ongoing basis, adherence to, the County' s policies for the use of
personal computers, software, software licensing and other desktop
technology.
6 . Data Processing Services will annually publish a County-wide
policy regarding use and licensing of software on County computers.
7 . Subject to prior written Department head approval and to the
policies expressed herein, County employees may use County computers for
personal matters during non-work hours .
1 hereby certify that this is a true and correct copy of
an action tckcn and cntered on the minutes of the
Board of Su rvisors on the date,st,pwn�9 f—
Orig. Dept: Data Processing Services A�sPHia�CH�o BATCHELOR, hem
cc: County Counsel tyAcWnWbaW
County Administrator
Auditor-Controller a Dapl
Clerk of the Board
AWW:9 a:\comp-tax.res
RESOLUTION NO. 95/ 560
-1-
New Device Implementation Policies:
.Before any new servers, routers, dial-in/out, Async servers, hubs or non-standard devices are
attached to the WAN, the department wishing to attach the device(s)must first notify the Network
Support Group at County DP, describing what the equipment is,and if it is a server, the server
name and network address,and the date and time that the device(s)will be connected to the
network. The date and time, and other pertinent information will be made available to all other
WAN members via a publicly accessable bulletin board or some other electronic form of
communication.
New Process Implementation Policies:
Before any new process is run across the WAN,the department wishing to run this process must
first notify the Network Support Group at County DP,describing what the process is, the extent
and type of data to be sent across the network,the source server name and network address,and
the date and time that the process will be run across the network.The date and time,and other
pertinent information will be made available to all other WAN members via publicly accessible
bulletin board or some other electronic form of communication, so that the effects on other users
can be monitored. Based on monitoring results, the process may be approved for standard
operation across the WAN.
t
Attachment 1
EMPLOYEE/CONTRACTOR RESPONSIBILITY STATEMENT
Purpose of This Responsibility Statement and User Acrreement:
Computer security has become an increasing concern for County government as computer access
and usage have increased through the availablity of networks and personal computers. It
is therefore necessary that all employees and 1contractors using County computers, or
processing County data on home computers, acknowledge awareness of good computer security
practices and agree to follow these practices. This statement is intended to protect the
County and County employees authorized to access and use County data from unauthorized
access to that data.
Provisions of This Responsibility Statement:
County employees and contractors shall comply with County standards for computer security
and usage, including, but not limited to, the following:
Good password and modem management (Exhibit 1 attached)
- Good security practices (Exhibit 1 attached)
- Proper log-off from systems and networks
- No introduction of any software or hardware onto County systems or networks
without written authorization from your Agency/Department computer systems
support staff
- Regular use of virus protection software
- No illegal or unlicensed software usage(one user/license)
- No attempts at unauthorized access to any County systems or data, or for which
you have no legitimate business need
- Use of County Internet access only for legitimate County business
- No unauthorized printing of and/or changes to data to which you have access,
or giving of access to that data to persons not authorized to view or use that
data.
- No copying of software from one computer to another without authorization of
your Agency/Department computer support staff
- Running only pre-approved processes over networks so as to avoid generating
excessive network traffic that might negatively impact other network users
- No masking the identity of an account or machine, including, but not limited
to, sending mail anonomously
- No usage of County computers for unlawful or illegal practices; for the
personal profit of yourself or others; or for personal activities that have
not been pre-approved in writing by Agency/Department management.
- No usage of County computers or networks for the creation or dissemination of
harassing or demeaning statements about individuals or groups, or of sexually
explicit materials
- California Penal Code Section 502 (excerpts attached as Exhibit 2)
All information resources on any County-owned network or system are the property of the
County, and are subject to County and Agency/Department policies on computer security and
acceptable information resources usage. Any software developed on County-time or using
County computer resources is, the property of the County. There is no presumption of privacy
for persons using County computers or County networks. Persons using computers or sending
electronic mail should make the same provisions to ensure confidentiality as would be taken
for sending hard copy correspondence. All activity on County computer resources is subject
to monitoring by Agency/Department and County computer systems support staff as part of
their responsibility for ensuring system integrity and compliance with security standards.
Such monitoring may include accessing personal computers without notice to investigate
possible security breaches.
Rev. 10/9/95
. . .
.
Exhibit_�
Do's and Don't's for Network Users
Passwords
Almost 90% of computer.network security incidents can be traced to poor or mismanaged passwords. Following
several basic rules for passwords iscritical in preventing network break-ins.
1. Never share your password with anyone.
2. Don't write your password down, and don't be te mipted to give your password to someone over the phone, on
electronic mail or via fax.
3. Fo/kmv the basic nm|as for constructing good passwords. Agnod password is at least 8 chacyohans long and
includes atleast one number and/or punctuation character. Good passwords are words that are not found in
the dictionary! Don't use your namme, your spouse's name or your children's name as a password.
4. Choose a password that you can remember. Combine two meaningful words with punctuaUon, mrselect a
phrase and use the first letter from each word. |fyour system accepts long passwords, you may want bzuse
a ^paonphnussy, which is a phrase that you can remember easily but that someone e|aa cannot guess.
5. Don't embed your password in a login script or assign it to a function key.
8. Change your password atleast once ayear; more often is desirable.
Modem Security
'
1. Never attach a dial-up modem to o County PC or workstation without coordinating with your Agency/
Department computer systems support staff.
2. If you have dial-in aooasa to m County computer, treat the dial-in number as sensitive information.
-
3. The rules for good password management apply todial-in modem passwords.
Good Practices
/\nalert user can help detect orprevent attempted bnenk-ino.
1. Some computers supply a "last login" date when you log in. Pay attention howhen the computer thinks you
last logged in; if there is a dis
,prepancy, notify your System Administrator. Someone else ni5yhave logged in
from your account!
2. If you are leaving your desk for period of time, log off from the comnputer- especially if you any in a public
area. |fyou have m"screen lock" feature, you can use that instead oflogging off.
3. Don't let anyone look over your shoulder while you enter your password.
4. If you can set oocean permissions for your files and dinsohzhes, set them to be as restrictive as possible.
5. Don't install free or "shareware" software on County computers. This software may contain viruses ortrap-
doors that |ateraUow intruders access. This also applies to software that can be obtained over the Internet.
°
S. Be conscious of the physical security ofyour equipment, especially if you work in an area visited often by
persons from outside your Department orfrom the public. Lock doors byoffices when not used orduring off-
hours. Maintain physical security of any portable computer equipment such as laptops or notebooks.
Rev. 8/9195
• . Exhibit 2
EXCERPTS FROM CALIF. PENAL CODE SECTION 502 ON COMPUTER CRIME
Cald-o nm Penal Code Section 502 states,in part,that any person is guilty of a public offense who:
1. Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwt�uses an3,
data, computer, comF-iter system, or computer rtetmx-k in order to either A) devis' or execute any
scheme or artifice to defraud,deceive,or extort;,or B) wrongfully control or obtain money,property,or
data.
2 Knowingly accesses and without permission takes,copies,or makes use of any data from a computer,
computer system,computer network,or takes or copies any supporting documents tion,whetfier existing
or residing internal or extc r tal to a computer',computer system,or computer network.
3. Knowingly accesses and without pemussion adds, alters. damages, deletes, or destroys any data,
computer software, or computer programa which reside or exist internal or external to a computer,
computes sysb=at,or computer network_
4. Knowingly and without permission disrupts or causes the disruption of computer services or denies or
causes the denial of computes services to an authorized v.ser of a computer, computer system, or
computer network-
5-
etwork5_ Knowingly introduces any computer contaminant into any computer,computer system, or computer
rwtwork.
r
r
Contra Costa County �1�._-�E� � ,o ATTACKMENT 2
_.�
LANAVAN Committee �Sw =_
Security Sub-Committee
01
Co
July 20, 1995
TO: LANIWAN Committee Members
FROM: CCC W.A.N. Security Sub-Committee
SUB,YECT: W.A.N. Access Standard
In order to be granted access to the County W.A.N., individual departments must conform to the
following minimum standards for security. If the requesting department does not meet these
standards, their case will be reviewed by the County W.A.N. committee,and their access may be
granted or denied by that committee. Departments that are on the WAN must meet these
requirements by June 30, 1996. If they have requirements that they cannot meet, their WAN
access must be reviewed by the WAN committee.
Physical Security:
All servers, hubs, routers, and network switches must be housed in locked or entry restricted
rooms.
All user machines in non-secure work areas must be turned off overnight. Users must logged off.
This does not apply to systems that are in use 24 hours/day.
All machines with public access must have the floppy(or other user inserted)drives removed or
locked.
At least one copy of systems backup media must be stored off site.
Password Security:
All network including home machines must be password protected.
All network user accounts must be password protected.
Eich net work user must have a unique user id., or if there are group id's, they must have limited
r access.
All passwords must be formulated based on strong password rules.
All passwords stored on the system must be in encrypted format.
Y .
All passwords must be changed without repetition at least every 3 months.
All users must be directed to not share their passwords.
All users must be directed to not keep their passwords written down using a non-secure method.
Administrative Procedures:
Full L.A.N. backups must be performed locally at least every two weeks.
Incremental L.A.N. backups must be performed locally at least every two days.
Administrator/Supervisor, Super user access must be limited to a few knowledgeable individuals,
who actively engage in administrative activities.
Regular users must not have file"write" pernussion in systems directories where executable files
are stored unless necessary.
Users attempting network/systems logins must be locked out after three sequential unsuccessful
logins.
Guest, demo, or other anonymous accounts without passwords are not allowed.
Systems rights and privileges should be conservatively assigned.
All network servers must have anti-virus software installed and operational at all points of entry if
the software is commercially available.
Inactive user accounts must be disabled after 3 months and removed after 6 months
Terminated users must be removed immediately.
Modems:
All modems must be inventoried.
All dial-in modems must have call-back, have supervised access, or other approved (by the WAN
Committee) security device(s) implemented.
All modem dial-ins must be restricted to real need users.
Modem usage must be logged where possible,and usage should be audited and reviewed regularly.
Modem phone line numbers must be treated as confidential.