The URL can be used to link to this page

Home My WebLink About 16-13 Adopting a Data Security PolicyRESOLUTION NO. I (6 A RESOLUTION ADOPTING A DATA SECURITY POLICY FOR THE TOWN OF FIRESTONE WHEREAS, the Town %J Firestone contracts with the Colorado Intergovernmental Risk Sharing Agency ("CIRSA") to provide general liability insurance; and WHEREAS, CIRSA has recommended that the Town implement a Data Security Policy to provide guidance in the event of a data security compromise or data breach; and WHEREAS, the Board of Trustees finds that a Data Security Policy should be adopted in order to provide general guidance on the appropriate actions to be taken and documented in the event of a data security issue or data breach that could compromise the security of the Town's sensitive information; and WHEREAS, the Board of Trustees fords that the adoption of the Data Security Policy will promote and support the best interests of the Town; and WHEREAS, the Board of Trustees by this Resolution desires to adopt a Data Security Policy; NOW, THEREFORE, BE IT RESOLVED BY THE BOARD OF TRUSTEES OF THE TOWN OF FIRESTONE, COLORADO, Section 1. The Board of Trustees hereby approves and adopts the Town of Firestone Data Security Policy attached to this Resolution. Sectio�i 2. The Data Security Policy approved and adopted by this Resolution shall take effect , 2016. INTRODUCED, READ, and ADOPTED this 2day of{ , 2016. Town Clerk TOWN OF FIRESTONE, COLORADO TOWS '••.spa � Sorensen, Mayor UV 1 Town of Firestone Data Security Policy Purpose The purpose of this Data Security Policy is to provide general guidance on the appropriate actions to be taken and documented in the event of a possible data security issue or data breach. The timeframe of the Data Security Policy ranges from the time of suspected breach to post -incident response closure, so that all incidents are handled in a consistent manner and the exposure to the potentially breached party is limited. It also provides a methodology for collecting evidence in the event of criminal activity. Documentation of responsive actions taken in connection with any data security incident or data breach, as well as documentation of the post -incident events and actions taken, is critical in making appropriate changes to business practices to improve the safeguarding and handling of the Town's sensitive information and personally identifiable information ("PII"). Applicability This Data Security Policy applies to all users who may experience or witness a data security incident or possible data breach. After discovery of a possible data breach, this process provides our Data Security Team with a checklist or outline for responding so that steps or information related to the incident are not missed. The Town is committed to protecting our information and responding appropriately to a data security incident or data breach. Scope Protection of our information and data is paramount. This Data Security Policy provides a checklist for responding to a data security incident or potential data breach, whether intentional or unintentional, as data breach events have an adverse effect on the Town's network. Policy/Procedures This Data Security Policy describes the Town's safeguards to protect sensitive information, including PII. These safeguards: • Protect the confidentiality, integrity and availability of data and the Town's network. • Protect against a data breach that could result in harm or inconvenience to a resident or user and meet any notification requirements. • Protect against anticipated threats or hazards to the security or integrity of sensitive information, including PII. • Identify and assess the risks that may threaten PII. • Conduct a reasonable investigation to determine the likelihood of information that has been or will be misused. • Conduct a post -incident investigation to capture lessons learned. • Develop written policies and procedures to manage and control these identified risks or vulnerabilities. • Adjust the Town's network security to reflect changes in technology, the sensitivity of data stored, and internal or external threats to information security. Data Security Policy 1 June 29, 2016 Data Security Team A Data Security Team ("DST") has been formed. This group consists of a representative from the Town's Information Technology ("IT") contractor and the Resources and Sustainability Coordinator. The DST will meet annually to ensure all participants on the team know their roles in the event of a true incident. Process This section establishes the steps the DST will use to respond to an incident and to initiate the Data Security Policy. Data Security Process —Initial Discovery 1. In the event of a suspected or noted security incident, data breach or potential system compromise, or malicious activity, the DST shall be contacted. 2. In order to determine if there has been a security incident, and the nature and seriousness of the incident, the DST will consider and discuss the following questions with the appropriate parties and documents the response. • Does the potential compromise contain Town sensitive information or PII? • Does law enforcement need to get involved? • Is there a requirement or desire to perform a forensics analysis of the system compromise? o If the answer is "yes" to any of these questions then the DST will immediately coordinate actions to be taken and apply the steps 3-11 below as appropriate. o If the answer is "no" to all the questions, then the DST will apply the steps 3-11 below as appropriate. 3. DST will do preliminary analysis —isolate the compromised system by disconnecting the network cable. If this is not feasible or desirable, IT can block access to the compromised system via the network. 4. Determine the security incident type —try to determine the cause of the malicious activity and the level of system privilege attained by the intruder. 5. Disable any compromised accounts and terminate all processes owned by them. 6. Compile a list of ID addresses involved in the incident, including log entries if possible. 7. Determine the users whose passwords need to be changed due to the compromise, as well as, whether or not the users have accounts on other systems using the same credentials and notify the IT administrators for those systems. 8. Notify the owners of the compromised accounts and reissue credentials. Consider the likelihood of the intruder having access to the compromised account email and utilize other contact methodology. 9. Determine whether all affected users have established new passwords. 10. IT will rebuild the system and verify that its network access should be re-established. 11. IT will perform a network vulnerability scan, if feasible and practical, of the system after it is unblocked to identify any unresolved security issues that might be used in future attacks against the system. Data Security Policy 2 June 29, 2016 II. Post -incident Lessons Learned The DST will: 1. Hold a meeting within 48 hours of completion of response. 2. Review chronology of the event. 3. " Identify what went wrong and what went right. For instance, Encryption was used on the file server containing Town confidential information and PIL" 4. Identify the threats or vulnerabilities that were exploited and determine whether they can be alleviated. 5. Review if all intrusion detection or prevention was in place, active and up to date. 6. Document "lessons learned" and assign appropriate updates to the Data Security Policy or other operational processes. III. Privacy Breach Incident Response If a security incident is suspected to be a data privacy breach, the DST will: 1. Immediately notify the Town Manager and the Town Attorney. 2. Determine what information was suspected to be breached, i.e., specific individuals' first and last names with a type of PII. 3. When appropriate, bring in an incident -response expert or law enforcement to conduct an investigation. Identify the scope, time frame and source(s) of breach, type of breach, whether data encryption was used and for what, possible suspects (internal or external, authorized or unauthorized, employee or non -employee user). 4. Review for other compromised systems. 5. Monitor all systems for potential intrusions. Accountability All users are required to report any suspected data breach of the Town's network to the DST. The DST will respond to any incident, analyze and collect the audit records and any logs, and redeploy new credentials to affected users after identification. IT will be responsible for maintaining updates to the Town's network security post -incident and, at a minimum, annually. The DST will be responsible for providing the Town Attorney with documentation after an incident of the types of personal information that may have been breached, providing guidance throughout the investigation on privacy issues, and assisting in developing the communication plan to impacted individuals. Compliance Violations of this policy may lead to the suspension or revocation of system privileges and/or disciplinary action up to and including termination of employment. The Town intends to advise appropriate authorities of any violation of the law. Data Security Policy 3 June 29, 2016 ACKNOWLEDGMENT I have received a copy of the Town of Firestone's Data Security Policy and understand that in order to continue my employment with the Town of Firestone I must follow the terms outlined by this policy. I understand that this policy in no way modifies my status as an at -will employee and in no way implies, infers, or guarantees my continued employment for any definite term and that I may be dismissed at the discretion of my employer for other reasons than failing to follow the terms of this policy. Employee Name Employee Signature Date Data Security Policy Acknowledgement May 9, 2016