INTERNAL OPERATIONS COMMITTEE
Meeting Date: July 8, 2024
Subject: County Information (Cyber) Security Policy
Submitted For: Monica Nino
Department: County Administrator
Referral No: IOC 24/8
Referral Name: Update of County Administrative Bulletins/Policies
Presenter: Marc Shorr, Chief Information Officer, Department of Information Technology
Contact: Marc Shorr, marc.shorr@doit.cccounty.us
Referral History:
On April 24, 2023, the Board referred to the IOC a review of several existing administrative policies:
1. Administrative Bulletin No. 525, "Office Space"
2. Administrative Bulletin No. 525.1, "Requesting Real Estate and Capital Project Services"
3. Administrative Bulletin No. 526, "Real Estate Asset Management Policy"
4. Administrative Bulletin No. 600, "Purchasing Policy and Procedures";
And, creation of the following new Administrative Bulletins:
1. Social Media Policy (Updating and replacing 2014 policy)
2. Cybersecurity Policy (New policy).
On June 27, the IOC recommended, and the Board approved, updated Purchasing policies and procedures. On July 11, the IOC recommended, and the Board adopted, an Ordinance amending the Purchasing Agent’s authority to execute contracts for special services under Government Code section 31000 by eliminating the requirement that these contracts be first reviewed, approved, and signed by the County Administrator.
On August 1, the IOC recommended, and the Board approved with amendments, updates to the County’s Social Media Policy, which prompted a new referral to the IOC regarding institution of a countywide ban on the TikTok social media application. The proposed TikTok ban has been suspended pending the outcome of a First Amendment challenge filed in May in the U.S. Court of Appeals for Washington, D.C.
As the County Administrator completes other policy updates, the final drafts are brought to the IOC for review and input.
Referral Update:
Today, the IOC is asked to review and provide direction on the final draft of the Information Security Policy, attached. The policy outlines the responsibilities of County departments to inventory their data and IT equipment, design and implement security measures to protect County data and IT systems, respond promptly to cybersecurity events by reporting them to Department of Information Technology (DoIT) and initiating data recovery protocols, and ensure that staff receive appropriate and relevant training. The policy also outlines DoIT’s responsibilities to assist County departments in maintaining information security, install cybersecurity defenses and monitor their effectiveness, and help detect, investigate, and recover from cybersecurity events. The County Administrator will be responsible for overseeing policy compliance.
Chief Information Officer Marc Shorr and DoIT staff will present the proposed policy and be available to respond to any questions or comments the committee may have.
Recommendation(s)/Next Step(s):
RECEIVE presentation on the proposed Information Security Policy and CONSIDER approving the recommended policy for Board of Supervisors consideration or providing direction to staff on any changes.
Fiscal Impact (if any):
None.