4.26
4.26
LABOR AND POLICY\\Policy – Written Information Security Policy – WISP – 5-6-19
RESOLUTION ADOPTING WRITTEN INFORMATION SECURITY
POLICY (WISP) AND ESTABLISHING INFORMATION TECHNOLOGY
SECURITY COMMITTEE AND SECURITY OFFICER
RESOLUTION NO.:_______________________________________________, 2019
INTRODUCED BY: _______________________________________________
WHO MOVED ITS ADOPTION
SECONDED BY: _______________________________________________
WHEREAS, in furtherance of recommendations from the Office of the State
Comptroller’s Information Technology Audit, the Queensbury Town Board wishes to develop
and implement a comprehensive Written Information Security Policy (WISP) to create effective
administrative, technical and physical safeguards to protect personally identifiable information of
taxpayers, vendors, contractors and employees as well as sensitive Town information that could
be harmful if unauthorized access were to occur, and
WHEREAS, the Town Board has previously authorized engagement of Stored Technology
Solutions, Inc., (Stored Tech) for the provision of professional Information Technology (IT)
services, and
WHEREAS, Stored Tech and Town employees have drafted a WISP which sets forth
procedures for evaluating and addressing electronic and physical methods of accessing, collecting,
storing, using, transmitting and/or protecting personally identifiable information and sensitive
Town information and such proposed WISP has been presented at this meeting, and
WHEREAS, the Town Board also wishes to establish and define the duties of an IT
Security Officer position and appoint an IT Security Officer and establish and define the duties of
an IT Security Committee and appoint IT Security Committee members to assist in the
implementation of the WISP as more specifically described in the WISP,
NOW, THEREFORE, BE IT
RESOLVED, that the Queensbury Town Board hereby adopts the Written Information
Security Policy (WISP) substantially in the form presented at this meeting, and
BE IT FURTHER,
RESOLVED, that the Town Board further authorizes the establishment of the Town of
Queensbury’s Information Technology (IT) Security Committee as specifically delineated in the
WISP and appoints the following members to such Committee to serve at the pleasure of the Town
Board:
1. Town Board Member: George Ferone
2. Town Board Member: Jennifer Switzer
3. Town Clerk (RMO): Caroline Barber
4. Department Manager or Designee: Gary Crossman
5. Department Manager or Designee: Chris Harrington
6. Department Manager or Designee: George Hilton
7. Department Manager or Designee: Teri Ross
8. Department Manager or Designee: Barbara Tierney
9. Legal Assistant: Pamela Hunsinger
10. IT Security Officer (StoredTech): Timothy Cruz
and
BE IT FURTHER,
2
RESOLVED, that the Town Board appoints Timothy Cruz, Operations Manager, Stored
Tech, as the IT Security Officer of the Town and Chairperson of IT Security Committee to
oversee the implementation, supervision and maintenance of the WISP, and
BE IT FURTHER,
RESOLVED, that the Town Board further authorizes and directs the Town Supervisor,
Stored Tech and/or Town Budget Officer to take any actions necessary to effectuate the terms of
this Resolution.
th
Duly adopted this 6 day of May, 2019, by the following vote:
AYES :
NOES :
ABSENT :
3
1111X;41•ATerft.t1V-0.,.-
777' "4" Igovt.serifive.x,-;,,f,..,-
• - 1
t
t
Town of Qpeeilsbury
•
NiV R1TTFN NFORMA11ON
sErD D ao-y (WISP)
, JJ
Lo .L,L)
May 1, 2019
WRITTEN INFORMATION SECURITY POLICY — WISP
Table of Contents
Security Policy#1. WISP 2
Appendix A—WISP Employee Acknowledgement Form 10
Security Policy#2.Termination Policy 11
Security Policy#3. Security Incident Procedures 13
Appendix A—Security Incident Response Log 13
Security Policy#4. Sanction Policy 18
Security Policy#5. Network Security 20
Security Policy#6.Access Control 23
Security Policy#7. Computer Use 25
Appendix A-Computer Use Policy 25
Security Policy#8. Disposal Procedure 29
Appendix A- Media Disposal Log 32
Security policy#9. Bring Your Own Device(BYOD) Policy 34
Appendix A- Bring Your Own Device Policy 36
Security Policy#10. Facility Security Plan 40
Security Policy & Procedure #1
Written Information Security Policy (WISP)
Statement of Policy
The objective of the Town of Queensbury("The Town") in the development and implementation of this
comprehensive written information security policy("WISP"), is to create effective administrative,
technical and physical safeguards for the protection of personally identifiable information (PII) of
taxpayers,vendors,contractors and employees as well as sensitive Town information that could be
harmful if unauthorized access were to occur. The WISP sets forth a procedure for evaluating and
addressing electronic and physical methods of accessing, collecting, storing, using,transmitting, and
protecting PII and sensitive Town information.
The use of the term employees will include all of The Town's elected and appointed officials, department
managers, employees, all independent contractors and temporary employees.
Purpose of Policy
The purpose of the WISP is to better:
1) Ensure the security and confidentiality of personally identifiable information (PII)of taxpayers,
employees or vendors as well as sensitive Town data which includes emails, confidential Town
information (i.e.Town expansion plans, business processes, highly secretive information, etc.),
employee information and the like.;
2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such
information; and
3) Protect against unauthorized access to or use of such information in a manner that creates a
substantial risk of identity theft,fraud or harm to The Town.
Scope of Policy
In formulating and implementing the WISP,The Town has addressed and incorporated the following
protocols:
1) Identified reasonably foreseeable internal and external risks to the security, confidentiality,
and/or integrity of any electronic, paper or other records containing PII and sensitive Town data.
2) Assessed the likelihood and potential damage of these threats,taking into consideration the
sensitivity of the PII and sensitive Town data.
3) Evaluated the sufficiency of existing policies, procedures, customer information systems, and
other safeguards in place to control risk.
4) Designed and implemented a WISP that puts safeguards in place to minimize identified risks.
5) Implemented regular monitoring of the effectiveness of those safeguards.
Security Safeguards
The following safeguards are effective immediately.The goal of implementing these safeguards is to
protect against risks to the security, confidentiality, and/or integrity of any electronic, paper or other
records containing PII or sensitive Town data.
Administrative Safeguards
1) IT Security Committee-The Town Board will designate, at its discretion, a 10 member
Committee to oversee the implementation,supervision and maintenance of the WISP.This
Committee will consist of:
(a) Nine voting committee members as follows:
a. Town Clerk(Records Management Officer)or designee.
b. Legal Assistant.
c. Two Town Board members or designee (must be another Town Board
member).
d. Five department managers or designee.
(b) The tenth member of the committee shall be the Town's IT Security Officer and be a
representative from the Town's IT service provider. The IT Security Officer will be a
Town Board appointed and chair the IT Security Committee and will be a non-voting
IT Security Committee member.
The responsibilities of this Town Board advisory committee include but are not limited
to the following:
a. Assuring that the Town's WISP is update as needed and in compliance with
current standards.
b. Advisory to the IT Security Officer and Town Board.
c. Review security measures to assess their effectiveness and compliance with
all applicable federal, state and local laws.
d. Annually review town's comprehensive disaster recovery plans for
effectiveness and compliance.
e. Oversee that the duties of the Town IT Security Officer are being fulfilled
and compliant.
f. Review security incident review and response policies.
(c) The terms will be for one year following Town Board appointment.
2) IT Security Officer
a. The duties of the IT Security officer include but are not limited to the following:
a.Implementation of the WISP including all provisions outlined in Security
Safeguards.
b.Provide training options for of all employees that may have access to PII and
sensitive Town data. Identify those employees. Employees should receive
annual training and new employees should be trained as part of the new
employee hire process. Document and maintain documents demonstrating
employee training. Maintain a tracking system to assure required training is
completed. See Security Training.
c.Regular monitoring of the WISP's safeguards and ensuring that employees are
complying with the appropriate safeguards.
d.Evaluating the ability of any Third Party Service Providers to implement and
maintain appropriate security measures for the PII and sensitive Town data to
which The Town has permitted access,and requiring Third Party Service
Providers, by contract,to implement and maintain appropriate security
measures.
e.Reviewing all security measures at least annually,or whenever there is a
material change in The Town's business practices that may put PII and
sensitive Town data at risk.
f. Investigating, reviewing and responding to all security incidents or suspected
security incidents.
g.Develop and update town's comprehensive disaster recovery plans.
h.Assure Contingency Planning. See Contingency Planning.
i. Develop incident and review policies for IT Security Committee review.
j. Overview data disposal to assure that the proposed records and data disposal
is in compliance with state laws.
3) Security Management-All security measures will be reviewed at least annually,or
whenever there is a material change in The Town's business practices that may put PII or
sensitive Town data at risk.This should include performing a security risk assessment,
documenting the results and implementing the recommendations of the security risk
assessment to better protect PII and sensitive Town data. The IT Security Officer will be
responsible for this review and after consultation with the IT Security Committee and upon
IT Security Committee affirmation and approval of the proposed change(s) in security
measures, communicate to the Town Board the results of that review and any
recommendations for improved security arising out of that review.
4) Minimal Data Collection- PII of taxpayers or employees shall only be collected if it is
necessary to accomplish legitimate business transactions or to comply with any and all
federal, state or local regulations.
5) Information Access-Access to records containing PII and/or sensitive Town data shall be
limited to those persons whose job functions require a legitimate need to access the
records. Access to the records will only be for a legitimate job-related purpose.
6) Employee Termination-Terminated employees must return all records containing PII and
sensitive Town data, in any form,that may be in the former employee's possession
(including all information stored on laptops or other portable devices or media,and in files,
records, work papers,etc.). A terminated employee's physical and electronic access to PII
and sensitive Town data will be immediately blocked.A terminated employee shall be
required to surrender all keys, IDs or access codes or badges, business cards, and the like,
that permit access to The Town's premises or information.A terminated employee's remote
electronic access to PII and sensitive Town data will be disabled; his/her voicemail access, e-
mail access, internet access,and passwords will be invalidated.See Security Policy#2—
Termination Policy.
7) Security Training—All employees that may have access to PII and sensitive Town data, will
receive security training. Employees should receive at least annual training and new
employees should be trained as part of the new employee hire process. Employees should
be required to show their knowledge of the information and be required to pass an exam
that demonstrates their knowledge. Documentation of employee training should be kept
and reviewed.
8) WISP Distribution-A copy of the WISP will be distributed to each current employee and to
each new employee on the beginning date of their employment. It shall be the employee's
responsibility for acknowledging in writing or electronically,that he/she has received a copy
of the WISP and will abide by its provisions. See Security Policy#1-Written Information
Security Policy(WISP)Appendix A—WISP Employee Acknowledgement Form.
9) Contingency Planning—All systems that store PII and/or sensitive Town data should have
the data backed up on, at least, a nightly basis. Data should be encrypted and be stored
offsite. Disaster Recovery mechanisms and documented procedures should be in place to
restore access to PII and sensitive Town data as well as any operational systems that The
Town relies on.A system criticality assessment should be performed that defines how
critical each of The Town's systems are.Systems that are critical to operations should be
restored before non-critical systems. On a periodic basis, data backups, data restoration and
Disaster Recovery procedures should be tested and validated.
10) Security Incident Procedures- Employees are required to report suspicious or unauthorized
use of PII and/or sensitive Town data to a supervisor or the IT Security Officer. Whenever
there is an incident that requires notification pursuant to any federal or state regulations,
the IT Security Officer will conduct a mandatory post-incident review of the events and
actions taken in order to determine how to alter security practices to better safeguard PII
and sensitive data.See Security Policy#3-Security Incident Response.
11) Data Sensitivity Classification—All data that The Town stores or accesses should be
categorized in terms of the sensitive nature of the information. For example, PII and
sensitive Town data might have a very high sensitivity and should be highly protected.
Whereas publicly accessible information might have a low sensitivity and requires minimal
protection.
12) Third Party Service Providers-Any service provider or individual ("Third Party Service
Provider")that receives,stores, maintains, processes, or otherwise is permitted access to
any file containing PII and/or sensitive Town data shall be required to protect Pit and
sensitive Town data.The Third Party Service Providers must sign service agreements that
contractually hold them responsible for protecting The Town's data. Examples include third
parties who provide off-site backup of electronic data;website hosting companies; credit
card processing companies; paper record copying or storage providers; data destruction
vendors; IT/Technology Support vendors; contractors or vendors working with taxpayers
and having authorized access to PII and/or sensitive Town data.
13) Sanctions-All employees shall be required to comply with the provisions of the WISP and to
prohibit any nonconforming use of PII and/or sensitive Town data as defined by the WISP.
Disciplinary actions will be taken for violations of security provisions of the WISP (The nature
of the disciplinary measures may depend on many factors including the nature of the
violation and the nature of the Pit and/or sensitive Town data affected by the violation,and
are subject to applicable provisions of the New York Civil Service Law and/or the Collective
Bargaining Agreement between the Town and CSEA for bargaining unit employees). See
Security Policy#4—Sanction Policy.
14) Bring Your Own Device(BYOD) Policy—The Town may allow employees to utilize personally
owned devices such as laptops,smartphones and tablets. If allowed, proper safeguards
must be implemented to protect PII and sensitive Town data that may be accessed or stored
on these devices. Employees must understand what the requirements are for using
personally owned devices and what safeguards are required. See Security Policy#9—BYOD
Policy.
Physical Safeguards
15) Facility Access Controls—The Town will implement physical safeguards to protect PII and
sensitive Town data.There will be physical security on facilities/office buildings to prevent
unauthorized access.All systems that access or store PII and/or sensitive Town data will be
physically locked. Employees will be required to maintain a "clean desk" and ensure that PII
and/or sensitive Town data is properly secured when they are not at their desk.The IT
Security Officer will maintain a list of lock combinations, passcodes, keys,etc. and which
employees that have access to the facilities and PII and/or sensitive data. Visitors will be
restricted from areas that contain PII and/or sensitive Town data. See Security Policy#10-
Facility Security Plan.
16) Network Security—The Town will implement security safeguards to protect PII and sensitive
Town data.Safeguards include; isolating systems that access or store PII and/or sensitive
Town data,the use of encryption on all portable devices, physical protection on portable
devices, ensuring that all systems run up-to-date anti-malware, implementing network
firewalls, performing periodic vulnerability scans, capturing and retaining network log files
as well as ensuring that servers and critical network equipment are stored in an
environmentally safe location. See Security Policy#5—Network Security—IT
responsibilities
•
Technical Safeguards
17) Access Control-Access to PII and sensitive Town data shall be restricted to approved active
users and active user accounts only. Employees will be assigned unique user accounts and
passwords. Systems containing PII and sensitive Town data should have automatic logoff
procedures to prevent unauthorized access. See Security Policy#6—Access Control
18) Computer Use—All employees will be given a Computer Use Policy that defines acceptable
and unacceptable use of The Town's computing resources. Employees should be required to
sign the Computer Use Policy to acknowledge acceptance of the policy. See Security Policy
#7—Computer Use
19) Data Disposal-Written and electronic records containing PII and sensitive Town data shall
be securely destroyed or deleted at the earliest opportunity consistent with business needs
or legal retention requirements. No electronic or paper records should be destroyed—that
is the responsibility of the RMO. No hard drives shall be destroyed without the RMO's
knowledge and properly documented;the IT Security Officer must assure that the
administration of this process is in accord with the above.See Security Policy#8—
Equipment Disposal
20) System Activity Review-All systems that store or access PII and sensitive Town data should
utilize a mechanism to log and store system activity. The IT Security Officer will assure
periodic system activity reviews will occur and will identify and document unauthorized
access to PII and sensitive Town data. Any unauthorized access should be reported to the IT
Security Officer.See Security Policy#3-Security Incident Response
21) Encryption—The IT Security Officer will,to the extent technically feasible,that all portable
devices that contain PII and sensitive Town data be encrypted to protect the contents and
encryption be used when sending any PII and sensitive Town data across public networks
and wireless networks. Public networks include email and Internet access.
Appendix A—WISP Employee Acknowledgement Form
I have read, understand, and agree to comply with the Written Information Security Policy(WISP), rules,
and conditions governing the security of PII and sensitive Town data. I am aware that violations of the
WISP may subject me to disciplinary action and may include termination of my employment.
By signing this Agreement, I agree to comply with its terms and conditions. Failure to read this
Agreement is not an excuse for violating it.
Signature Date
Employee's Supervisor Signature Date
Security Policy #2
Termination Policy
Purpose of Policy
This policy defines the steps required to revoke both physical and system access to The Town's facilities
and network resources.
Termination of Access: it is essential that supervisors and/or Information Technology(IT)terminate
access to Town facilities and systems in a timely manner to protect the information, systems and
resources. Supervisors/ IT are required to terminate access immediately upon termination (or even
before when possible) of an employee, officer, workforce member or contractor. All below references
to "terminated employee"shall also include Town Officials no longer serving and any third party
contractors whose contract has been terminated or expired.
1) Upon termination, a terminated employee shall immediately surrender all keys, IDs,access
cards/codes or badges, business cards and the like,that permit access to The Town's
premises or information.
2) A terminated employee's physical and electronic access to PII and sensitive Town data shall
be immediately blocked.
3) A terminated employee shall immediately return all records containing PII and sensitive
Town data, in any form,that may be in the former employee's possession (including all
information stored on laptops or other portable devices or media, and in files, records,work
papers, etc.).
4) All computer, network, and data access a terminated employee has for both internal and
external systems shall be immediately revoked:
A. Internal systems
a. Microsoft Windows/ Network Domain
b. Systems that store or access PII and sensitive Town data
c. Email
d. Database applications
e. Any other systems that the terminated employee has access to
B. External systems
1. Cloud based systems such as credit card processing systems, billing
systems, customer relationship management(CRM), etc.
5) Remote access should be removed
6) Wireless access should be removed
The IT Security Officer will monitor and assure that all termination steps that are taken should be
documented and retained for legal purposes and/or federal or state regulations.
Security Policy #3
Security Incident Procedures
Purpose of Policy
The purpose of the policy is to develop the response to and reporting of security incidents, including the
identification of and response to suspected or known security incidents,the mitigation of the harmful
effects of known security incidents,to the extent possible, and the documentation of security incidents
and their outcomes.
Definitions
Breach
Breach means the acquisition, access, use,or disclosure of personally identifiable information
(PII) or sensitive Town data such as email,employee information,confidential information,etc.
which compromises the security or privacy of the PII or sensitive Town data.
Unsecured P11
Unsecured PII means PII that is not rendered unusable, unreadable, or indecipherable to
unauthorized individuals through the use of a technology or methodology such as encryption.
The definition of unsecured PII varies between different federal and state regulations.
Reporting and Response
1) The IT Security Officer is charged with the responsibility of identifying, evaluating and
responding to security incidents.
a. The IT Security Officer will be responsible for investigating all known or suspected
privacy and security incidents.
b. The IT Security Officer will document a procedure for all employees to follow to report
privacy and security incidents.See Appendix A—Security Incident Response Log
c. All employees must follow the documented procedure to report security incidents. In
addition, employees must report all known or suspected security incidents.
d. All employees must assist the IT Security Officer with any security incident
investigations.
Breach Determination
The IT Security Officer will investigate all reported and suspected security breaches. The IT
Security Officer will refer to federal or state regulations to help with breach determination.
Breach Notification
The IT Security Officer determines that a breach of unsecured PII has occurred, breach
notification of affected individuals may be required.The IT Security Officer will refer to federal
or state regulations to help with breach notification requirements.
Key elements of a breach notification include:
1) Date of discovery
Usually a breach will be treated as discovered as of the first day the breach is known or
by exercising reasonable diligence would have been known.
2) Timeliness of notification
The Town will provide the required notifications without unreasonable delay after
discovery of a breach.The amount of time The Town has to notify affected individuals
varies between federal and state regulations.
3) Content of notification
If required, a notification will be provided to each individual affected by the discovered
breach.The notification should include the following:
• A brief description of what happened, including the date of the breach and the
date of the discovery of the breach, if known;
• A description of the types of unsecured PII that were involved in the breach
(such as whether full name,social security number, date of birth, home address,
account number or other types of information were involved);
• Any steps individuals should take to protect themselves from potential harm
resulting from the breach;
• A brief description of what The Town is doing to investigate the breach,to
mitigate harm to individuals, and to protect against any further breaches; and
• Contact procedures for individuals to ask questions or learn additional
information,which should include a telephone number, an e-mail address, Web
site,or postal address.
• The notification should be written in plain language.
4) Methods of notification
The following methods are usually used to notify individuals affected by the discovered
breach:
a. Written notice
The IT Security Officer will give written notification by first-class mail to the
individual at the last known address of the individual or,via e-mail if the
individual agrees to e-mail notice.The notification may be provided in one or
more mailings as information is available.
If the individual is deceased notifications are usually sent to next of kin or
personal representative
b. Substitute notice
If contact information is out of date and written notification cannot be made, a
substitute notification may be used.
• A substitute notification usually in the form of either a conspicuous
posting on The Town's home page of its Web site, or conspicuous notice
in major print or broadcast media in geographic areas where the
individuals affected by the breach likely reside. The notice should
include a contact phone number.
5) Notification to media
In addition to notifying individuals of a known breach, a notification to the media may
be required as well.
6) Notification to federal or state regulatory agencies
The Town may need to report breaches of unsecured information to federal or state
regulatory agencies.
7) Notification by Third Party Service Providers
Third Party Service Provider responsible for a breach of The Town's PII or sensitive Town
data will be required to notify The Town within a forty eight hour timeframe.The
timeframe should be defined in a Service Provider Agreement.
Third Party Service Provider breaches may result in The Town having to notify The
Town's affected individuals(such as taxpayers,employees, etc.).
Appendix A—Security Incident Response Log
Incident Identification Information
Name:
Phone:
Email:
Date/Time Detected:
System/Application Affected:
Incident Summary
Type of Incident Detected:
(Denial of Service, Malicious Code, Unauthorized
Access, Unauthorized Use/Disclosure, Unplanned
System Downtime, Other)
Description of Incident:
Names of Others Involved:
Incident Notification
How Was This Notified?
(Security Office, IT Personnel, Human Resources,
Other)
Response Actions
Include Start and Stop times
Identification Measures(Incident Verified,
Accessed, Options Evaluated):
Containment Measures:
Evidence Collected (Systems Logs, etc.):
Security Policy #4
Sanction Policy
Scope of Policy
This policy governs employee sanctions and disciplinary actions for The Town.All employees must
comply with this policy. Demonstrated competence in the requirements of this policy is an important
part of the responsibilities of every employee.
Policy Statement
• It is the Policy of The Town to establish and implement appropriate,fair and consistent
sanctions for employees who fail to follow established policies and procedures,or who commit
various offenses.The IT Security Committee will develop these sanctions for the Town Board's
consideration and approval.
• Sanctions applied shall be appropriate to the nature and severity of the error or offense, and
shall consist of an escalating scale of sanctions,with less severe sanctions applied to less severe
errors and offenses, and more severe sanctions applied to more severe errors and offenses.
• Offenses involving obvious illegal activity may result in notifications to appropriate law
enforcement authorities.
• All employee Sanctions will be documented by the IT Security Officer.
Based on the severity of the violation,varying levels of disciplinary action may be imposed such as:
• Verbal warning
• Written warning
• Education—training/retraining
• Removal of system privileges
• Suspension without pay
• Termination of employment
The Town may determine the type of disciplinary action(s)to be imposed based on the circumstances,
and the above levels do not have to be imposed progressively.
Procedures
• Inadvertent release of PII and sensitive Town data will be investigated and disciplinary action
will be determined by management and the extent of harm to individual involved.
• Employees accessing PII and sensitive Town data files that they do not have a reason to access is
a violation that may result in immediate termination.
• Blatant disregard for The Town's Policies and Procedures may result in immediate termination.
• Intentional release of PII and sensitive Town data to someone who should not have access to
the information WILL result in immediate termination and possible prosecution.
All such discipline shall be subject to the applicable provisions of the New York State Civil Service Law
and/or the provisions of the Collective Bargaining Agreement between the Town and CSEA for
bargaining unit employees.
Security Policy & Procedure #5
Network Security
Purpose of Policy
The purpose of the policy is to describe the physical safeguards applicable for each server, desktop
computer system and wireless computer system used to access,transmit, receive and store PII and
sensitive Town data to ensure that appropriate security is maintained and that access is restricted to
authorized employees.
Network Security
The Town will take reasonable and appropriate steps to prevent unauthorized access to workstations,
servers and portable devices including laptops,tablets,smartphones, CD-ROMs, DVDs, USB Drives, etc.
that store or access PII and sensitive Town data.
1) Workstations, laptops and tablets that are in common areas that store or access PII and/or
sensitive Town data should be physically placed with the monitor so that it prohibits
unauthorized people from viewing confidential information such as logins, passwords, PII
and/or sensitive Town data.
2) Workstations, laptops and tablets that are in common areas that store or access PII and
sensitive Town data should utilize privacy screens to prevent unauthorized access to the
data.
3) Workstations, laptops and tablets that are in common areas that store or access PII and
sensitive Town data should be secured by restraints such as locking cables.
4) To the extent technically feasible all portable devices that contain PII and/or sensitive Town
data should be encrypted to protect the contents. In addition, encryption should be used
when sending any PII and/or sensitive Town data across public networks and wireless
networks. Public networks include email and Internet access.
5) Portable devices and media should be concealed from view when offsite to prevent theft.
6) All network servers,application servers, routers, database systems, device management
system hardware, and other servers should be located in a room or an area that can be
physically secured by lock and key or any other appropriate security mechanism to limit
access to only authorized personnel.
7) All workstations, servers and portable devices will run anti-virus/anti-malware software
that protect against malicious software. The software must be current and up to date with
virus/malware definitions. Employees must use and keep active current versions of
approved anti-virus/anti-malware software scanning tools to detect and remove malicious
software from workstations and files. Employees must not disable these tools unless
specifically directed by computer support personnel to do so in order to resolve a particular
problem.
8) A network firewall should be in place to protect PII and/or sensitive Town data. The firewall
protection should be up to date. Firewalls should be monitored and alerts should be
triggered in the event of unauthorized intrusion or suspected intrusion.
9) Log files from network equipment should be stored and retained. Log files from network
equipment include;firewalls, network servers, desktops, laptops and other devices.The
required length of retention of log files may vary depending on federal, state or industry
regulations.This process must follow New York State Retention Regulations.
10) All workstations,servers and portable devices,where feasible, must implement a security
patch and update procedure to ensure that all relevant security patches and updates are
promptly applied based on the severity of the vulnerability corrected.
11) Periodic network vulnerability scans should be performed on all internal as well as external
(Internet facing servers, websites,etc.) systems. Results of the vulnerability scans should be
analyzed and known vulnerabilities should be remediated and/or patched.After all
vulnerabilities are remediated, an external network penetration test should be performed
to ensure that unauthorized external access into the network is prevented.
12) Reasonable and appropriate steps will be taken to prevent unauthorized access to
workstations, servers and portable devices from misuse and physical damage,vandalism,
power surges,electrostatic discharge, magnetic fields,water, overheating and other
physical threats.
a. Workstations must not be located where they will be directly affected by extremes
of temperature or electromagnetic interference. Precautions should also be taken
to ensure that workstations cannot be affected by problems caused by utilities, such
as water, sewer and/or steam lines that pass through the facility.
b. All facilities that store systems that contain PII and/or sensitive Town data, should
have appropriate smoke and/or fire detection devices,sprinklers or other approved
fire suppression systems, and working fire extinguishers in easily accessible
locations throughout the facility.
c. All servers that contain PII and/or sensitive Town data, should be connected to an
Uninterrupted Power Supply (UPS)to prevent server crashes during power outages
or spikes. Servers should be configured to shut down in a controlled manner if the
power outage is for an extended period of time.
d. All systems should be connected to surge protectors,where feasible,to protect
against power spikes and surges.
13) A user identification and password authentication mechanism shall be implemented to
control user access to the system. (See Security Policy#6-Access Control).
14) Employees who suspect any inappropriate or unauthorized use of workstations should
immediately report such incident or misuse to the IT Security Officer.
Security Policy & Procedure #6
Access Control
Purpose of Policy
The purpose of the policy is to assure that systems containing PII and/or sensitive Town data are
accessed only by those persons or software programs that have been granted appropriate access rights.
Unique User Identification
1) Employees will be assigned a unique user identification (i.e. user id) in order to access any
system or application that transmits, receives or stores PII and/or sensitive Town data.
2) Each employee must ensure that their assigned user identification is appropriately protected
and only used for legitimate access to systems or applications.
3) If an employee believes their user identification has been comprised,they must report the
security incident.
4) Employees must create and use strong passwords to protect PII and sensitive Town data that
meet the following criteria:
a. Must be a minimum of eight characters in length;
b. Contain at least 3 of the following: capital letters, small letters, numbers or special
characters;
c. Automatically expire periodically, not to exceed 90 days;
d. Automatic account lockout after no greater than 25 attempts;
e. Password history, passwords cannot be reused for four(4)consecutive password
changes;
f. Passwords must expire and be changed at first login;
g. Default passwords must not be used.
5) Employees must comply with the following procedures to protect passwords:
a. Passwords shall not be written down.
b. Passwords shall not be shared with other employees.
c. If an employee suspects that their password has been compromised,they shall report
the incident immediately.
Automatic Logoff
1) Systems that access or store PII and/or sensitive Town data should implement an automatic
logoff after a determined period of inactivity(i.e. 10 minutes of inactivity). Employees would
need to login again to regain access and continue the session.
2) When leaving a server,workstation, or other computer system unattended, employees must
lock or activate the system's automatic logoff mechanism (e.g. CTRL,ALT, DELETE and Lock
Computer) or logout of all applications and database systems containing or accessing PII and/or
sensitive Town data.
Encryption and Decryption
1) To the extent technically feasible all portable devices that contain PII and/or sensitive Town
data should be encrypted to protect the contents. In addition,encryption should be used
when sending any PII or sensitive Town data across public networks and wireless networks.
Public networks include email and Internet access.
2) Employees should be trained on the use of encryption to protect PII and sensitive Town
data.
3) All backup media that contain PII and/or sensitive Town data should utilize encryption to
protect the data.
4) Secure encrypted remote access procedures should be implemented to protect systems that
access or store PII and/or sensitive Town data.
a. Authentication and encryption mechanisms should be required for all remote access
sessions to networks containing PII and/or sensitive Town data. Examples of such
mechanisms include VPN clients, authenticated SSL web sessions, and encrypted
Citrix/RDP client access.
b. Two-factor authentication (i.e.SMS pin notification)should be implemented where
technically feasible.
5) All wireless access to networks should utilize encryption mechanisms.
a. Employees should not utilize open public Wi-Fi networks.
Security Policy #7
Computer Use
Purpose of Policy
The purpose of this policy is to ensure that employees understand what functions should and should not
be performed on The Town's computers and network to maximize the security of PII and sensitive Town
data.The policy also provides guidance regarding proper safeguards of PII and sensitive Town data when
accessing social media sites.
Computer Use
1) To ensure that workstations and other computer systems that may be used to send, receive,
store or access PII and sensitive Town data are only used in a secure and legitimate manner,
all employees must comply with The Town's Computer Use Policy, a copy of which is
attached as Appendix A.
2) The Town may provide workstations and other computer systems to employees for the
purpose of performing their job functions. Employees shall be responsible for using
workstations appropriately in conformance with this Policy.
3) The Town may remove or deactivate any employee's user privileges, including but not
limited to, user access accounts and access to secured areas,when necessary to preserve
the integrity,confidentiality and availability of its facilities, user services, and data.
4) Employees must be assigned and use a unique User Identification and Password (See
Security Policy#6-Access Control)
5) Employees that use The Town's information systems and workstation assets should have no
expectation of privacy.To appropriately manage its information system assets and enforce
appropriate security measures,The Town may log, review, or monitor any data stored or
transmitted on its information system assets.
Appendix A
Computer Use Policy
Introduction
This document provides guidelines for appropriate use of computer facilities and services. It is not a
comprehensive document covering all aspects of computer use. It offers principles to help guide
employees, and specific policy statements serve as a reference point. It will be modified as new
questions and situations arise.
Computers,the Internet and electronic mail (e-mail)are powerful research, communication,
commerce and time-saving tools that are made available to employees.The use of this efficient and
effective communication tool is critical but, like any tools, computers,the Internet and e-mail have the
potential to be used for inappropriate purposes.
Workstations and other computer systems may be provided to employees for the purpose of
performing their job functions. Employees shall be responsible for using workstations appropriately in
conformance with this Policy.
Policy
The following policies on computer,the Internet and electronic mail usage shall be observed by all
employees.
• Users of the Internet and e-mail are to comply with all appropriate laws, regulations and
generally accepted Internet etiquette.
• Primary purpose of the Internet and e-mail is to conduct official business.
• Users should identify themselves properly when using the Internet and e-mail,conduct
themselves professionally, and be aware that their activities reflect on the reputation
and integrity of all employees.
• Each user is individually responsible for the content of any communication sent over or
placed on the Internet and e-mail.
• All employees have a responsibility to ensure a respectful workplace. Computer
equipment must not be used to visit Internet sites that contain pornographic or sexually
explicit information, pictures, or cartoons.
• Exceptions to this policy are only allowed when pre-approved by supervisors or Town
management and deemed necessary for official business, research or investigatory
work.
The following actions are prohibited. It is unacceptable for employees to:
• Knowingly or intentionally publish, display,transmit, retrieve or store inappropriate or
offensive material on any department computer system.
• Create or distribute defamatory,false, inaccurate, abusive,threatening, racially
offensive or otherwise biased, discriminatory or illegal material.
• View or distribute obscene, pornographic, profane, or sexually oriented material.
• Violate laws, rules, and regulations prohibiting sexual harassment.
• Engage in any unauthorized activities for personal financial gain.
• Place advertisements for commercial enterprises, including but not limited to,goods,
services or property.
• Download, disseminate,store or print materials including articles and software,in
violation of copyright laws.
• Download any software,including but not limited to games,screen savers,toolbars or
any other browsing tools without the permission of supervisors,Town management or
IT staff.
• Violate or infringe on the rights of others.
• Conduct business unauthorized by The Town.
• Restrict or inhibit other users from using the system or the efficiency of the computer
systems.
• Cause congestion or disruption of networks or systems, including distribution of chain
letters.
• Transmit incendiary statements, which might incite violence or describe or promote the
use of weapons.
• Use the system for any illegal purpose or contrary to Town policy or business interests.
• Connect a personal computer to The Town network without having the computer
checked by IT staff to insure no threatening viruses/programs infect The Town
network.
• Monitor or intercept the files or electronic communications of other employees or third
parties.
• Hack or obtain access to systems or accounts they are not authorized to use.
• To disclose a Login ID(s)or password to anyone nor allow anyone to access any
information system with someone else's Login ID(s) or passwords
• Use other people's Login ID(s) or passwords to access any information system for any
reason.
• To post any PII or sensitive Town data on social network sites, public forums, etc. This
includes posting pictures of Pit or sensitive Town data or pictures of taxpayers without
permission.
• Employees shall not remove electronic media that contains PII or confidential or
proprietary information unless such removal is authorized by an employee's supervisor
or Town management.
Any employee who abuses the privilege of their access to e-mail or the Internet in violation of this
policy will be subject to corrective action, including possible termination of employment, legal
action, and criminal liability.
Employees will immediately report any activity that violates this agreement to the employee's
supervisor,Town management or Town IT Security Officer.
I have read, understand, and agree to comply with the foregoing policies, rules,and conditions
governing the use of The Town computer and telecommunications equipment and services.
understand that I have no expectation of privacy when I use any of the telecommunication equipment
or services. I am aware that Internet and e-mail may be subject to monitoring. I am aware that
violations of this guideline on appropriate use of the e-mail and Internet systems may subject me to
disciplinary action, including termination from employment, legal action and criminal liability. I
further understand that my use of the e-mail and Internet may reflect on the image of The Town to
our taxpayers,general public and suppliers and that I have a responsibility to maintain a positive
representation of Town. Furthermore, I understand that this policy can be amended at any time.
By signing this Agreement, I agree to comply with its terms and conditions. Failure to read this
Agreement is not an excuse for violating it. The Town may deny access to information systems if this
Agreement is not returned signed and dated.
Signature Date
Requestor's Immediate Supervisor Signature Date
Access Agreement Approved by(printed name) Date
Security Policy #8
Disposal Procedure
Purpose of Policy
All media containing PII and sensitive Town data,will be disposed of in a manner that destroys the data
and does not allow unauthorized access to the data.
Procedures for computer/hardware disposal
1) The IT Security Officer will notify the Information Technology(IT)
department/town/individual of equipment that needs to be disposed of.
2) The IT Security Officer will determine sensitivity of data to be disposed of. (See Data
Classification Table below)
3) IT will assess the condition of the equipment, and:
a. IT will track the disposal of the device (type of hardware, serial number, etc.). See
Appendix A: Media Disposal Log
b. IT will run approved wiping software on all devices to make sure all PII and sensitive
Town data is removed from the device.
i. This may include physical destruction (See Methods of Destruction below)
c. IT will verify the hardware's data has been removed.
d. IT will dispose of the hardware.
4) With approval of the RMO,the IT Security Officer will document the destruction of the asset
and keep a record. See Appendix A: Media Disposal Log.
5) If taken to outside facility-The media shall be taken to an approved, certified facility for
erasure or destruction. A letter of certification regarding date and time of
erasure/destruction shall be obtained and given to the RMO.
Data Classification Table:
1) Low(Unclassified)-No requirement to erase data but in the interest of prudence normally
erase the data using any means such as reformatting or degaussing.
• Basic operating system, personal files, etc.
2) Med (Sensitive but not Confidential)-Erase the data using any means such as reformatting or
degaussing.
• This would be for business related information which is not considered sensitive Town
data.
3) High (Confidential)-The data must be erased using an approved technology to make sure it is
not readable using special technology techniques. (See method of destruction below)
• This would be for PII and sensitive Town data.
Examples of hardware devices include:
• Workstation
• Laptop
• Tablet(iPad/Android)
• Smartphones
• Server hard drives
• Memory stick(USB drives)
• CD ROM disk/DVD ROM
• Storage/Backup tape(s)
• Hard drives
• Copiers/Scanners/ Fax machines
• Any equipment that contains PII or sensitive Town data
Any disposal of records or data must be done in compliance with Federal,State and Local Law, as well as
any other Town Policies regarding data retention.
Methods of Destruction Table:
Clear One method to sanitize media is to use software or hardware products to
overwrite storage space on the media with non-sensitive data.This process
may include overwriting not only the logical storage location of a file(s) (e.g.,
file allocation table) but also may include all addressable locations.The
security goal of the overwriting process is to replace written data with random
data. Overwriting cannot be used for media that are damaged or not
rewriteable.)
Purge Degaussing and executing the firmware Secure Erase command (for ATA drives
only)are acceptable methods for purging. Degaussing is exposing the magnetic
media to a strong magnetic field in order to disrupt the recorded magnetic
domains.A degausser is a device that generates a magnetic field used to
sanitize magnetic media. Degaussers are rated based on the type (i.e., low
energy or high energy)of magnetic media they can purge. Degaussers operate
using either a strong permanent magnet or an electromagnetic coil.
Degaussing can be an effective method for purging damaged or inoperative
media,for purging media with exceptionally large storage capacities,or for
quickly purging diskettes.
Destroy There are many different types,techniques, and procedures for media
destruction. If destruction is decided on because of the high security
categorization of the information,then after the destruction,the media should
be able to withstand a laboratory attack.
• Disintegration, Pulverization, Melting, and Incineration.These
sanitization methods are designed to completely destroy the media.
They are typically carried out at an outsourced metal destruction or
licensed incineration facility with the specific capabilities to perform
these activities effectively,securely, and safely.
• Shredding. Paper shredders can be used to destroy flexible media such
as diskettes once the media are physically removed from their outer
containers.The shred size of the refuse should be small enough that
there is reasonable assurance in proportion to the data confidentiality
that the data cannot be reconstructed.
Optical mass storage media, including compact disks(CD, CD-RW, CD-R, CD-
ROM), optical disks (DVD),and MO disks, must be destroyed by pulverizing,
crosscut shredding or burning. When material is disintegrated or shredded all
residues must be reduced to nominal edge dimensions of five millimeters(5
mm) and surface area of twenty-five square millimeters (25 mm).
Appendix A-Media Disposal Log
The below data was disposed/destroyed as required in Security Policy#8— Equipment Disposal
Date of Destruction: 10/28/2015
Authorized By: Click here to enter text.
Description of Information Disposed of or Destroyed (include Manufacturer/Model/Serial
Number/etc.):
Click here to enter text.
Backup of Personally Identifiable Information (PII), Private Health Information ( ) or sensitive Town
data? Required if PII or data is the only copy.
❑Yes
❑ No
If Yes, List Backup Location: Click here to enter text.
Method of Destruction:
❑ Clear(One method to sanitize media is to use software or hardware products to overwrite storage
space on the media with non-sensitive data. This process may include overwriting not only the logical
storage location of a file(s) (e.g., file allocation table) but also may include all addressable locations. The
security goal of the overwriting process is to replace written data with random data. Overwriting cannot be
used for media that are damaged or not rewriteable.)
❑ Purge (Degaussing and executing the firmware Secure Erase command (for ATA drives only)are
acceptable methods for purging. Degaussing is exposing the magnetic media to a strong magnetic field in
order to disrupt the recorded magnetic domains. A degausser is a device that generates a magnetic field
used to sanitize magnetic media. Degaussers are rated based on the type (i.e., low energy or high
energy) of magnetic media they can purge. Degaussers operate using either a strong permanent magnet
or an electromagnetic coil. Degaussing can be an effective method for purging damaged or inoperative
media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes.
❑ Destroy (Degaussing and executing the firmware Secure Erase command (for ATA drives only) are
acceptable methods for purging. Degaussing is exposing the magnetic media to a strong magnetic field in
order to disrupt the recorded magnetic domains. A degausser is a device that generates a magnetic field
used to sanitize magnetic media. Degaussers are rated based on the type (i.e., low energy or high
energy) of magnetic media they can purge. Degaussers operate using either a strong permanent magnet
or an electromagnetic coil. Degaussing can be an effective method for purging damaged or inoperative
media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes.)
Destruction Method Used:
Click here to enter text.
Final Disposition of Media:
❑ Disposed
❑ Reused Internally
❑ Reused Externally (sold/donated /etc.)
❑ Returned to Manufacturer/Leasing Company/Vendor/etc.
❑ Other: Click here to enter text.
This log must be given to the Town's RMO. Upload to the PII Protect Security Portal.
Security Policy #9
Bring Your Own Device (BYOD) Policy
Purpose of Policy
The purpose of the policy is to develop the appropriate safeguards to protect PII and sensitive Town
data on employee personally owned devices. Proper security controls are essential to protect any
sensitive information that may be on these devices. Documented instructions and requirements should
be provided to all employees that may be accessing or storing PII and sensitive Town data on their
personally owned devices and acknowledgement of acceptance should be documented and retained.
Bring Your Own Device (BYOD) Policy
1) The Town has the right to deny or revoke an employee's access to PII and/or sensitive Town
data or levy sanctions laid forth in The Town's sanction policy.
2) Encryption of devices usually offers a safe harbor under federal and state regulations and is the
strongest protection against a data breach. Encryption should be used on all devices that access
or store PII and/or sensitive Town data.
3) Employees are not permitted to access PII and/or sensitive Town data,on personally owned
devices, unless authorized and approved. Only approved devices that are properly configured
will be given access to PII and/or sensitive Town data.
4) The Town will limit who has access to Pit and/or sensitive Town data on their personally owned
devices.The Town will provide employees with only the limited amount of access to PII and/or
sensitive Town data to perform their job function.
5) The organization and their Information Technology(IT)group/provider will work together to
manage and enforce this Bring Your Own Device (BYOD) policy.
Procedure
1) Employees must request permission to use personally owned devices and fill in the registration
form provided.
2) The IT Security Committee will periodically review and update this policy when new
requirements are implemented or when security requirements change. Employees will be
notified of any changes.
3) The Town and its IT Security Officer reserve the right to monitor and inspect devices registered
in its BYOD program to ensure that Pit and sensitive Town data are being properly protected.
4) Upon an employee's termination of employment,The Town and its IT Security Officer will
ensure that any devices the employee has with Pit and/or sensitive Town data are returned to IT
for a final analysis and removal of any PII and/or sensitive Town data or applications that access
PII and/or sensitive Town data.This will be conducted as soon as possible to limit inappropriate
access to PII and/or sensitive Town data.
5) Documentation, acknowledgement and registration forms will be retained for all employees and
kept in their employee folder. Documentation must also be provided to employees initially and
upon request.
Appendix A
Bring Your Own Device Policy
This document provides the guidelines for a Bring Your Own Device (BYOD) policy for The Town. It offers
principles to help guide employees and staff and can be modified by The Town to better reflect their
specific needs.
The Town's employees may have the ability(approval required)to bring and utilize various personal
devices that may have the ability to access,store or transmit PII and/or sensitive Town data. Devices
include but are not limited to smartphones,tablets and laptops. Employees must be aware that when
accessing PII and/or sensitive Town data on their personally owned devices,they must protect that
information.The ability for employees to utilize personally owned devices is a privilege and The Town
reserves the right to revoke this privilege if an employee does not abide by the policies laid forth.
Devices Permitted
Smartphones accepted (brand and model):
Tablets accepted (brand and model:
Laptops: personally owned laptops must be accepted and approved by Town management.
Additional Devices: other additional personal devices that may access or store patient information must
be approved by Town management and IT.
Specifically excluded devices:
Security Requirements
• All devices must be password protected.
• Passwords must be complex; requiring a minimum of 6 characters, a combination of upper-and
lower-case letters, numbers and symbols.
• Devices must lock after five incorrect password attempts.
• Devices must "time out" and require a password after a five-minute period of inactivity.
• Text messages that may contain PII and/or sensitive Town data must be sent through the
secure texting application provided. If a secure texting application has not been provided then
employees should not send PII and/or sensitive Town data via text.
• Emails that are sent through the device containing PII and/or sensitive Town data must be sent
encrypted. If secure email encryption is not provided,employees should not send email that
contain P11 and/or sensitive Town data via email.
,
1
Restrictions and Limitations
• "Rooted"or"Jailbroken" devices are not permitted to access PII and/or sensitive Town data.
• Employees must notify management when selling,trading in, recycling or disposing of their
personal devices.
• The employee's device may have data remotely deleted/wiped if 1)the device is lost or stolen,
2)the employee terminates his or her employment,3) IT detects a data or policy breach, a virus
or similar threat to the security of The Town's data and/or technology infrastructure.
• Devices that are lost or stolen must be reported to management and/or IT as soon as possible
but within 24 hours.
• Employees must inform management and/or IT if they plan to upgrade, recycle or dispose of
their personally owned device.
• Employees who voluntarily resign from the organization must present their device(s)to
management and/or IT within 48 hours to have all PII and/or sensitive Town data and/or access
deleted/removed from the device.
o Employees who do not turn over their device(s)to management and/or,IT within 48
hours after voluntary resignation are subject to a full remote wipe/deletion of all data
including non PII and sensitive Town data on their device.
• The organization will prepare for scheduled terminations in advance and ensure that employees
present their device(s)to management and/or IT the day of the scheduled termination to have
all PII and sensitive Town data and/or access deleted/removed from the device.Terminated
employees that do not present their device(s)will be given an opportunity to bring in their
device(s)to have all PII and sensitive Town data removed from the device(s).Terminated
employees that fail to bring in their device(s), after given the opportunity,are subject to a full
remote wipe/deletion of all data including non PII and/or sensitive Town data on their device.
Additional Information
The organization will provide any additional specifications, requirements or restrictions in this section.
Sanctions
Violations or abuse of this policy are subject to the repercussions laid out in The Town's sanction policy.
Bring Your Own Device—Device Registration form
Employee name:
Position/title:
Phone number: Secondary Phone number:
Device and Description:
Serial Number: MAC Address:
Access points; where will patient information be accessed (email,text messages,applications,web etc.):
Device Security Specifications (for IT and/or Town of Queensbury management to complete):
Security Implemented Details or additional information
Specification (yes or no)
Operating
system
Encryption
Anti-virus
service
Secure Texting
Application
Timeout/lock
settings
Password
requirements
Web browser
Mobile wipe
E-mail provider
Additional information,specific device restrictions and requirements should be detailed below:
I have read, understand, and agree to comply with the foregoing policies, rules, and conditions
governing the use of personally owned devices that may access,store or transmit PII and sensitive
Town data. I am aware that violations of this guideline of appropriate use may subject me to retraction
of this privilege or disciplinary action, including termination of employment. I further understand that
inappropriate use of my device that may put PII and sensitive Town data at risk may negatively affect
taxpayers,The Town and myself.
I am aware of the technical restrictions and requirements on my device that were provided in the
device registration form. I will maintain and manage these security requirements on my device for as
long as I continue to access,store or transmit PII and sensitive Town data. I understand that The Town
reserves the right to protect its information as well as sensitive Town data that I may be accessing and
therefore have the ability to remotely wipe/delete data from my device if the need arises.
By signing this Agreement, I agree to comply with its terms and conditions. Failure to read this
Agreement is not an excuse for violating it.
Signature Date
Requestor's Immediate Supervisor Signature Date
Information Technology Provider's Signature Date
Security Policy #10
Facility Security Plan
Purpose of Policy
The purpose of the policy is to define the procedures that will limit physical access to PII and sensitive
Town data and the facility or facilities in which such systems are housed,while still ensuring that proper
authorized access is allowed.
Facility Security Plan
1) Physical security of office buildings must be implemented to protect PII and sensitive data as
well as other Town assets. Physical measures might include: alarm systems, surveillance camera,
fences, locked gates/doors, etc.
2) All systems that store or access PII and/or sensitive Town data should be stored in locked rooms,
closets or cabinets to prevent unauthorized access.Access to these facilities should be
minimized and limited to only employees and/or vendors that need access to perform their job
function.
3) Where practical,all visitors should be restricted from areas where files or systems containing PII
and/or sensitive Town data are stored.Alternatively,visitors must be escorted or accompanied
by an approved employee in any area where files or systems containing PII and/or sensitive
Town data are stored.
4) A clean desk policy will be implemented and includes the following:All employees are
prohibited from keeping unsecured paper files containing PII and sensitive Town data in their
work area when they are not present(e.g. lunch breaks). At the end of the day, all files
containing PII and/or sensitive Town data are to be stored in a locked filing cabinet, desk drawer
or other locked location. Any systems that store or access PII and/or sensitive Town data should
be closed or access should be terminated (i.e.system logoff).
5) The IT Security Officer and the town's Building & Grounds Superintendent shall maintain a
secured and confidential master list of all lock combinations, passcodes, and keys.The list will
identify which employee possess keys, keycards, or other access devices and that only approved
employees have been provided access credentials.
6) Where practical, all visitors who are expected to access areas other than common space or are
granted access to office space containing PII and/or sensitive Town data should be required to
sign-in with a Photo ID at a designated reception area where they will be assigned a visitor's ID
or guest badge unless escorted at all times.Visitors must be escorted or accompanied by an
approved employee in any area where files containing PII and/or sensitive Town data are
stored.
STROUGH\MISCELLANEOUS\Written Information Security Policy—WISP—Proposed FINAL Version April 25 2019