116 Information Systems Security
Original Approval Date: July 15, 2009
Revision Effective: September 21, 2022
Any misuse of Tri-County Board computers or violation of this policy may result in disciplinary action up to and including termination.
A. Malware Protection. Malware is any type of software that is intended to disrupt, damage, or gain unauthorized access to a computer system. Malware may infect or attempt to infect computer systems with or without specific actions of the user. To protect the integrity of the Board’s equipment, networks, and data, employees and guest users will adhere to the following procedures and requirements:
1. Media and software must be approved by the Director of Information Services prior to usage.
2. Portable media must be scanned before usage on any computer that can access the Board’s secure network.
3. Computers with access to the Board’s secure network shall maintain current anti-malware software, and shall be configured to perform a complete system scan nightly, or at a frequency determined by the Director of Information Services.
4. If malware is detected or suspected, immediately notify the Director of Information Services or your Supervisor.
B. Software:
1. Software is to be installed by the Director of Information Services, except as described in Section D.5.
2. The Board does not permit unauthorized copying or installation of software.
C. Data Integrity and Backup Procedures:
1. Regular backups are to be performed under the direction of the Director of Information Services.
2. A full backup of all data is to be completed nightly.
3. Additional full backups are to be completed regularly according to a documented schedule and stored offsite.
4. Backup media will be securely stored.
5. Backups are to be tested periodically to insure accuracy and completeness.
6. Media to be disposed of containing Electronic Protected Health Information shall be physically destroyed according to procedures established by the Director of Information Services.
7. Media containing Electronic Protected Health Information (EPHI) is defined as any device or device component that may store, or provide access to, health information related to clients or employees.
D. Security:
1. Devices with access to the Board’s secure network, or that contain Electronic Protected Health Information, shall be secured by passwords that meet or exceed HIPAA requirements.
2. Staff members shall not share individual passwords with others or post passwords in a publicly visible manner. If a staff member is locked out of systems or devices, or forgets their password, they must report to a network administrator to have passwords reset.
3. Staff members should close all applications or lock their workstation when leaving the Board premises. Applications providing access to Electronic Protected Health Information should be closed before the staff member leaves their individual office.
4. Systems shall auto-lock after a maximum of 15 minutes of inactivity per HIPAA guidelines. Offices are to be secured at the end of the work day.
5. The server shall remain in a separate, secured room and shall be accessed only by authorized personnel.
6. HIPAA-acceptable standards shall be met or exceeded in the transmission of EPHI data. Data transferred between the Board and State entities shall comply with protocol requirements for usage on the State provided network. Data transferred between the Board and other contracted entities shall follow Board-developed procedures.
7. Fax or e-Fax transmissions of documents containing Protected Health Information shall adhere to State and HIPAA guidelines.
8. When an employee is hired, access to the Board’s secure network shall be established by the Director of Information Services or Network Administrator. When an employee terminates employment with the Board, the Director of Information Services or Network Administrator shall assure that access to and the Board’s secure network has been terminated, and all Board-owned devices in the possession of the employee are secured.
9. The Director of Information Services or Network Administrator shall manage any outside agency’s or provider’s access to the Board’s secure network for services delineated in the service contract, and termination of access upon termination of the service contract.
10. When an individual, agency or provider’s access is terminated, relevant state agencies shall be notified immediately so that access to secure State systems can be terminated.
11. If a device able to connect to the Board’s secure network, or containing EPHI or able to access EPHI, is believed to be lost or stolen, the employee using the device at the time of loss shall immediately inform their supervisor and the Director of Information Services.
D. Internet Access:
1. Internet access is available via the connections with established monitoring and security. Board computers that access the Board’s secure network, or that contain EPHI or have access to EPHI shall not access the internet for any purpose by any means not approved by the Director of Information Services or Network Administrator.
2. Guest access to the internet may be provided for the facilitation of training, virtual meetings, or other purposes related to Board functions. Terms and conditions for accessing guest networks will be published by the Director of Information Services or Network Administrator, and may be revoked at any time and for any reason.
3. No use of the internet for commercial purposes will be allowed, nor any use which is considered to be offensive or harassing to another person.
4. Devices that are not configured to access the Board’s secure network, whether owned by Board, employees, or guests of the Board, which use guest privileges to access the internet, are expected to use up-to-date anti-malware software. The Director of Information Services or Network Administrator may deny access to guest internet when they have reasonable concern about the guest device.
5. Internet-based software and services may be used for virtual meetings, presentations, and other purposes. Use of such software and services on any device able to connect to the Board’s secure network, or containing EPHI or able to access EPHI, shall be approved prior to use by the Director of Information Services. Such software or services may be used without prior approval by employees or guests with reasonable precautions on devices not able to connect to the Board’s secure network, or not containing EPHI or able to access EPHI.
6. Where employees require the use of internet-based applications and services for the efficient conduct of Board business, any account information, including username, password, and account recovery or authentication methods must be shared with the Director of Information Services and maintained in a documented record of internet accounts and services.
7. Documents created by, stored on, or shared through internet-based applications and services may be subject to open records laws and records retention requirements. Employees should discuss such requirements with their supervisor prior to use.
E. Protecting systems from environmental damage.
1. Computer systems, peripherals, and other network communication equipment shall be protected from power surges and outages by methods deemed reasonable and appropriate by the Director of Information Services.
2. Software installation media shall be stored in a secure location.
G. Disaster Recovery Plan
1. In case of an emergency affecting computer systems or networks, the Director of Information Services will be contacted to assess the situation and implement any required recovery procedures.
2. The Director of Information Services will maintain records of all hardware purchased with configurations, acquisition date, software installed and warranty information
3. The Board may utilize information services consultants as needed.
4. On-site and off-site back-ups as well as software and support documentation will be kept in a secure location.
H. Insurance Coverage
1. The Tri-County Board holds a property insurance policy which covers loss of computer equipment. Loss or damage to equipment owned by employees or guests may not be covered.
Revision Effective: September 21, 2022
Any misuse of Tri-County Board computers or violation of this policy may result in disciplinary action up to and including termination.
A. Malware Protection. Malware is any type of software that is intended to disrupt, damage, or gain unauthorized access to a computer system. Malware may infect or attempt to infect computer systems with or without specific actions of the user. To protect the integrity of the Board’s equipment, networks, and data, employees and guest users will adhere to the following procedures and requirements:
1. Media and software must be approved by the Director of Information Services prior to usage.
2. Portable media must be scanned before usage on any computer that can access the Board’s secure network.
3. Computers with access to the Board’s secure network shall maintain current anti-malware software, and shall be configured to perform a complete system scan nightly, or at a frequency determined by the Director of Information Services.
4. If malware is detected or suspected, immediately notify the Director of Information Services or your Supervisor.
B. Software:
1. Software is to be installed by the Director of Information Services, except as described in Section D.5.
2. The Board does not permit unauthorized copying or installation of software.
C. Data Integrity and Backup Procedures:
1. Regular backups are to be performed under the direction of the Director of Information Services.
2. A full backup of all data is to be completed nightly.
3. Additional full backups are to be completed regularly according to a documented schedule and stored offsite.
4. Backup media will be securely stored.
5. Backups are to be tested periodically to insure accuracy and completeness.
6. Media to be disposed of containing Electronic Protected Health Information shall be physically destroyed according to procedures established by the Director of Information Services.
7. Media containing Electronic Protected Health Information (EPHI) is defined as any device or device component that may store, or provide access to, health information related to clients or employees.
D. Security:
1. Devices with access to the Board’s secure network, or that contain Electronic Protected Health Information, shall be secured by passwords that meet or exceed HIPAA requirements.
2. Staff members shall not share individual passwords with others or post passwords in a publicly visible manner. If a staff member is locked out of systems or devices, or forgets their password, they must report to a network administrator to have passwords reset.
3. Staff members should close all applications or lock their workstation when leaving the Board premises. Applications providing access to Electronic Protected Health Information should be closed before the staff member leaves their individual office.
4. Systems shall auto-lock after a maximum of 15 minutes of inactivity per HIPAA guidelines. Offices are to be secured at the end of the work day.
5. The server shall remain in a separate, secured room and shall be accessed only by authorized personnel.
6. HIPAA-acceptable standards shall be met or exceeded in the transmission of EPHI data. Data transferred between the Board and State entities shall comply with protocol requirements for usage on the State provided network. Data transferred between the Board and other contracted entities shall follow Board-developed procedures.
7. Fax or e-Fax transmissions of documents containing Protected Health Information shall adhere to State and HIPAA guidelines.
8. When an employee is hired, access to the Board’s secure network shall be established by the Director of Information Services or Network Administrator. When an employee terminates employment with the Board, the Director of Information Services or Network Administrator shall assure that access to and the Board’s secure network has been terminated, and all Board-owned devices in the possession of the employee are secured.
9. The Director of Information Services or Network Administrator shall manage any outside agency’s or provider’s access to the Board’s secure network for services delineated in the service contract, and termination of access upon termination of the service contract.
10. When an individual, agency or provider’s access is terminated, relevant state agencies shall be notified immediately so that access to secure State systems can be terminated.
11. If a device able to connect to the Board’s secure network, or containing EPHI or able to access EPHI, is believed to be lost or stolen, the employee using the device at the time of loss shall immediately inform their supervisor and the Director of Information Services.
D. Internet Access:
1. Internet access is available via the connections with established monitoring and security. Board computers that access the Board’s secure network, or that contain EPHI or have access to EPHI shall not access the internet for any purpose by any means not approved by the Director of Information Services or Network Administrator.
2. Guest access to the internet may be provided for the facilitation of training, virtual meetings, or other purposes related to Board functions. Terms and conditions for accessing guest networks will be published by the Director of Information Services or Network Administrator, and may be revoked at any time and for any reason.
3. No use of the internet for commercial purposes will be allowed, nor any use which is considered to be offensive or harassing to another person.
4. Devices that are not configured to access the Board’s secure network, whether owned by Board, employees, or guests of the Board, which use guest privileges to access the internet, are expected to use up-to-date anti-malware software. The Director of Information Services or Network Administrator may deny access to guest internet when they have reasonable concern about the guest device.
5. Internet-based software and services may be used for virtual meetings, presentations, and other purposes. Use of such software and services on any device able to connect to the Board’s secure network, or containing EPHI or able to access EPHI, shall be approved prior to use by the Director of Information Services. Such software or services may be used without prior approval by employees or guests with reasonable precautions on devices not able to connect to the Board’s secure network, or not containing EPHI or able to access EPHI.
6. Where employees require the use of internet-based applications and services for the efficient conduct of Board business, any account information, including username, password, and account recovery or authentication methods must be shared with the Director of Information Services and maintained in a documented record of internet accounts and services.
7. Documents created by, stored on, or shared through internet-based applications and services may be subject to open records laws and records retention requirements. Employees should discuss such requirements with their supervisor prior to use.
E. Protecting systems from environmental damage.
1. Computer systems, peripherals, and other network communication equipment shall be protected from power surges and outages by methods deemed reasonable and appropriate by the Director of Information Services.
2. Software installation media shall be stored in a secure location.
G. Disaster Recovery Plan
1. In case of an emergency affecting computer systems or networks, the Director of Information Services will be contacted to assess the situation and implement any required recovery procedures.
2. The Director of Information Services will maintain records of all hardware purchased with configurations, acquisition date, software installed and warranty information
3. The Board may utilize information services consultants as needed.
4. On-site and off-site back-ups as well as software and support documentation will be kept in a secure location.
H. Insurance Coverage
1. The Tri-County Board holds a property insurance policy which covers loss of computer equipment. Loss or damage to equipment owned by employees or guests may not be covered.