County of Rockland

Network and Computer Security
Policy 03-5  

County Executive
C. Scott Vanderhoef

Incorporates and expands the previous Executive policies for

Internet
Laptop Computers 
Electronic Mail

Table of Contents

Scope of Policy

The County of Rockland acknowledges an obligation to ensure appropriate security for all Information Technology data, equipment, and processes in its domain of ownership and control. Everyone employed by the County of Rockland shares this obligation, to varying degrees. 

Protected Assets

The assets that must be protected include:

 -Computer and Peripheral Equipment
 -Communications Equipment
 -Computing and Communications Premises
 -Power, Water, Environmental Control, and Communications utilities
 -Supplies and Data Storage Media
 -System Computer Programs and Documentation
 -Application Computer Programs and Documentation
 -Information 

Domains of Security

This policy will deal with the following domains of security:

• Computer system security: CPU, peripherals, operating systems. This includes data security.

• Physical security: the premises occupied by the IT personnel and equipment

• Operational security: environment control, power equipment, operational activities

• Procedural security by IT, divisions, business partners, contractors, management personnel, as well as ordinary users

• Communications security: communications equipment, personnel, transmission paths, and adjacent areas 

Policy  Approval

Approval of the Security Policy is vested with the County Executive of the County of Rockland.

Advice and opinions on the Policy will be given by:

• Information Technology Policy Committee, which includes the Director of MIS, the Assistant Directors of MIS, Communications and Networking and others. 

Formulation and maintenance of the policy is the responsibility of the Director of MIS.

Approval is the responsibility of the County Executive.

Responsibilities

MIS will be responsible for all system platforms on the internal County network and will have the responsibility to insure to the best of their ability that the county network is performing up to and working 24/7 to users complete satisfaction.

MIS will be responsible for the communications systems.

Department Heads will be responsible for applications under their management control (e.g. Finance, Human Resources).

Individuals will be responsible for desktop systems under their control.  

Availability

It is intended that this Information Technology Security Policy be publicly accessible in its entirety via the Rockland County Intranet web site – RCWEB. It is mandatory that all users of County IT resources be familiar with relevant sections of this policy. 

Changes

The Information Technology Security Policy is intended to be a “living” document that will be altered as required to deal with changes in technology, applications, procedures, legal and social imperatives, perceived dangers, etc.

Major changes will be made in consultation with the Director of MIS, The Commissioner of General Services, and with the approval of the County Executive.

The Director of MIS and the Commissioner of General Services will approve minor changes to the Security document. 

A change will be considered “minor” when there is no significant impact on all employees of the County and it is determined by the Director of MIS and the Commissioner of General Services that the involvement of the County Executive is not required to effect the minor change. Minor changes could include the addition of new software, upgrades and technologies that are transparent to the users and no user involvement is required. 

A change will be considered “major” when there is a significant impact on all employees of the County and it is determined by the Director of MIS and the Commissioner of General Services that the involvement of the County Executive is required to effect the minor change. Major changes could include the addition of hardware and software technology such as biometric devices and electronic signatures that would have a direct impact on the user and therefore the County Executive would be advised of the contemplated changes to this policy.

Conditions of Use of Network and Computing Resources

1. All persons using the computing and networking facilities shall be responsible for the appropriate use of the facilities, and shall observe conditions and times of usage as allowed by the Administrator of the system.
    

2. It is the policy of the County of Rockland that its computing and associated network facilities are not to be used for commercial purposes or non-County-related activities without written authorization from the County of Rockland. In any dispute as to whether work carried out on the computing and networking facilities is internal work, the decision of the County Executive, or delegated authority, shall be final.
    

3. The County of Rockland will endeavor to safeguard the possibility of loss of information within the County of Rockland’s computing and networking facilities but will not be liable to the user in the event of any such loss. The user must take all reasonable measures to further safeguard against any loss of information within the County of Rockland’s computing and networking facilities.
    

4. If a loss of information within the system can be shown to be due to negligence on the part of the computing or network personnel employed by the County of Rockland, or to any hardware or software failure which is beyond the user’s means to avoid or control, then the County of Rockland will endeavor to help restore the information.
    

5. Users of the computing and networking facilities recognize that when they cease to be formally associated with the County of Rockland (e.g. no longer an employee, partner or vendor to the County of Rockland), their information may be removed from the County computing and networking facilities without notice. Users must remove their information or make arrangements for its retention prior to leaving the County of Rockland.
    

6. The County of Rockland reserves the right to limit permanently or restrict any user’s usage of the computing and networking facilities; to copy, remove, or otherwise alter any information or system that may undermine the authorized use of the computing and networking facilities; and to do so with or without notice to the user in order to protect the integrity of the computing and networking facilities against unauthorized or improper use, and to protect authorized users from the effects of unauthorized or improper usage.
    

7. The County of Rockland, through authorized individuals, reserves the right to periodically check and monitor the computing and networking facilities, and reserves any other rights necessary to protect them.
    

8. The County of Rockland disclaims responsibility and will not be responsible for loss or disclosure of user information or interference with user information resulting from its efforts to maintain the privacy, security and integrity of the computing and networking facilities and information.
    

9. The County of Rockland reserves the right to take emergency action to safeguard the integrity and security of the computing and networking facilities. This includes, but is not limited to, the termination of a program, job, or on-line session, or the temporary alteration of user account names and passwords. The taking of emergency action does not waive the rights of the County of Rockland to take additional actions under this policy.
    

10. Users of the computing and networking facilities do so subject to applicable laws and County policies. The County of Rockland disclaims any responsibility and/or warranties for information and materials residing on non-County computer systems or available over publicly accessible networks, except where such responsibility is formally expressed. Such materials do not necessarily reflect the attitudes, opinions, or values of the County of Rockland or its employees.
     

11. Internal and external users of the County of Rockland’s computing and networking facilities must adhere to all County policies regarding security, remote access and access to the Internet that prohibits direct connectivity to the Internet to individuals and organizations outside of the County of Rockland.
     

12. Internal users, External users, or County vendors may not install any software or hardware whatsoever without the express approval of the Technology Committee which includes the management of MIS and members from Communications and Networking.
     

13. External users or County vendors must have controlled access to the County network and resources and are completely under the restrictions of MIS.  Contractors who have access to the network systems are responsible to follow all policies and procedures outlined in this security document.  Contractors are required to provide the county proof of Security bonding and Confidentiality affidavits.
     

14. Rockland County computer/network users must agree

    To safeguard their data, personal information, passwords and authorization codes, and confidential data – never to share passwords with any outside person or co-worker, never to write down their password or keep it in a visible place such as on the CPU or monitor or desk drawer, never to take County information on a floppy disk, CD-ROM drives, and email attachments and remove it from County property without the direct permission of their Department Head;   To accept the decision of the Technology Committee which may any time and without prior notice, reserve the right to disable the user’s Floppy, CD-ROM drives, and email to protect the network from unauthorized installations by users or vendors, as well as unauthorized removal of County data to diskettes;   To log out of their computers, shutting them down when they leave the premises at night and for extended time, such as lunch hour or meetings;  To accept such restrictions in being disconnected from the network if not properly logged out;   To choose their passwords wisely and to change them periodically;   To follow the security policies and procedures established to control access to and use of administrative data. To respect the privacy of other users; for example, not to intentionally seek information on, obtain copies of, or modify files, tapes, or passwords belonging to other users or the County of Rockland; Not to represent others, unless authorized to do so explicitly by those users; Not to divulge sensitive personal data to which they have access concerning staff without explicit authorization to do so. Not to install or run any unapproved hardware devices or software applications (example: no unauthorized wireless devices of any kind - such as PDA, Wireless network cards, routers or switches - are to be connected to the network, nor are any scanning or sniffing devices or software to be used on the network without MIS approval) To respect the legal protection provided by copyright and licensing of programs and data; for example, making copies of licensed computers programs to avoid paying additional license fees or to share with other users would be in violation of the license and/or copyright.   To respect the intended usage of resources; for example, to use only the account name and password, funds, transactions, data, and processes assigned by service providers, unit heads, or project directors for the purposes specified, and not to access or use other account names and passwords, funds, transactions, data, or processes unless explicitly authorized to do so by the appropriate authority.   To respect the intended usage of systems for electronic exchange (such as e-mail,  World Wide Web, etc.); for example, not to send forged electronic mail, mail that will intimidate or harass other users, chain messages that can interfere with the efficiency of the system, or promotional mail for profit-making purposes. Also, not to break into another user’s electronic mailbox or read someone else’s electronic mail without their permission.   To respect the integrity of the computing and networking facilities; for example, not to intentionally develop or use programs, transactions, data, or processes that harass other users or infiltrate the system or damage or alter the software or data components of a system. Alterations to any system or network software or data component are to be made only under specific instructions from authorized academic staff, unit heads, project directors, or management staff.   To adhere to all general County policies and procedures including, but not limited to, policies on proper use of information resources and computing and networking facilities; the acquisition, use, and disposal of County-owned computer equipment; use of telecommunications equipment; legal use of software; and legal use of administrative data. To scrub as well as purge all county data from hard drives prior to disposal.   To report any information concerning instances in which the County of Rockland Security Policy or any of its standards and codes of practice has been or is being violated. In general, reports about violations should be directed initially to the administrative unit where the violation has occurred whereupon it will be passed on to the Director of MIS, who is the Custodian of the system. If it is not clear where to report the problem, it may be sent to the MIS Help Desk, which will redirect the incident to the Director of MIS for action, and response.

Code of Practice for Specific Activities

Internet Security 

Since the Internet and its tools adhere to open and documented standards and specifications, it is inherently an unsecured network that has no built-in security controls. Confidential and sensitive information must not reside on Internet servers or systems, or be included in electronic communication available for public access unless, proper, formalized security precautions have been established to protect privacy. Inappropriate or accidental disclosure of the information might expose the County or an individual to loss or harm. Departments must guard against even the perception that that information given willingly by an individual to his or her government is in any way used inappropriately or without respect for the citizen’s privacy. Internet resources are governed by existing privacy protection and confidentiality statutes, the same way other County information is governed. 

Acceptable Use Policy

It is the responsibility of each County of Rockland department to promulgate and insure compliance with this policy document governing the acceptable and unacceptable uses of the Internet. The County of Rockland hereby acknowledges that the Internet is a valuable and useful resource for the conduct of County business, but it also maybe subject to inappropriate use. The County of Rockland will endeavor to permit appropriate access to the Internet for employees, but some restrictions are necessary and appropriate. 

Access to the Internet for an employee will only be approved upon the written recommendation of the Commissioner or Department Head and approval of the County Executive’s Office. The recommendation should give the name of the employee and the reason for needing such access, i.e., research, filing reports, etc. 

Once access is approved, the employee shall use the access granted only for the purpose stated in the approved request. Use of the Internet will be monitored by the Department Head or appropriate supervisor on behalf of the Department Head. Any accessing of sites on the Internet for non-County business, personal, or entertainment use, will result in appropriate disciplinary action.  

Illegal Activity 

In general, it is inappropriate use to store and/or give access to Information on the County of Rockland computing and networking facilities that could result in legal action against the County of Rockland.

Objectionable Material

The County of Rockland’s computing and networking facilities must not be used for the transmission, obtaining possession, demonstration, advertisement or requesting the transmission of objectionable material knowing it to be objectionable material, namely:

• A movie classified RC (refused classification), a computer game classified RC (refused classification), or a refused publication
• Child pornography
• An article that promotes crime or violence, or incites or instructs in matters of crime or violence
• An article that describes or depicts, in a manner that is likely to cause offense to a reasonable adult 

These above referenced classifications are determined by vendors and they could be employed to monitor usage of the county network. 

The vendor blocking software will, as per our specification to the vendor, categorize and determine Internet sites that what will be “blocked” from coming into the County network. However, if a user brings in a file and uses an “RC” type material on our network, then they are in violation of this security policy. (“RC” is an industry classification that is used to categorize material that cannot be given an “X” categorization) 

Users of the facilities should be aware that there are severe penalties for such activities; that the police or other authority may without a warrant, at any reasonable time, enter any place where the operating of a computer service is carried on and inspect any articles and records kept on the premises and may seize any thing that the authority reasonably suspects is connected with an offense. In addition there are penalties for delaying, obstructing or otherwise hindering the police or authorized person in the performance of their functions or for giving false or misleading statements including statements that are misleading through the omission of information.

Restricted Material 

The County of Rockland’s computing and networking facilities must not be used to transmit or make available restricted material to a minor, restricted material being defined as an article that a reasonable adult, by reason of the nature of the article, or the nature or extent of references in the article, to matters of sex, drug misuse or addiction, crime, cruelty, violence or revolting or abhorrent phenomena, would regard as unsuitable for a minor to see, read or hear. 

MIS, the custodian of the system, maintains the right to employ network management software to monitor the computer activities of the system users.  This in no way makes the MIS department liable for the conduct of users or their misuse of the system. 

The County of Rockland uses independently supplied software and data to identify inappropriate or sexually explicit Internet sites. Rockland County reserves the right to block access to all such sites, as well as future sites not yet known.  If a user finds themselves connected accidentally to a site that contains sexually explicit or offensive material, they must disconnect from that site immediately, regardless of whether that site had been previously deemed acceptable by any screening or rating program.

Employees with Internet access may not use county Internet facilities to download entertainment software or games, or to play games against opponents over the Internet.

Employees with Internet access may not use county Internet facilities to download pictures or videos unless there is a business-related use for the material and that an authorized individual has approved it.

It is not acceptable to use the Rockland County Internet:

• For activities unrelated to the department’s mission;

• For activities unrelated to official assignments and/or job responsibilities;

• For any illegal purpose;

• To transmit threatening, obscene or harassing materials or correspondence;

• For unauthorized distribution of County of Rockland data and information;

• To interfere with or disrupt network user, services or equipment;

• For private purposes such as marketing or business transactions;

• For solicitation for religious and political causes;

• For unauthorized not-for-profit business activities;

• For private advertising of products or service; and

• For any activity meant to foster personal gain.

Restricted categories may include but not be limited to: 

Restricted Software and Hardware 

Users should not knowingly possess, transfer, or install on any computing and networking facilities, or run, programs or other information which could result in the violation of any County policy or the violation of any applicable license or contract. This is directed towards but not limited to software known as viruses, Trojan horse, trap door, worms, password breakers, and packet observers. Authorization to possess and use Trojan horse, trap door, worms, viruses and password breakers for legitimate research or diagnostic purposes can be obtained from the Director of MIS.

The unauthorized physical connection of monitoring devices to the computing and networking facilities which could result in the violation of County policy or applicable licenses or contracts is inappropriate use. This includes but is not limited to the attachment of any electronic device to the computing and networking facilities for the purpose of monitoring data, packets, signals or other information. Authorization to possess and use such hardware for legitimate diagnostic purposes must be obtained from the Director of Management Information Systems.

Copying and Copyrights

In particular, users should be aware of and abide by the County of Rockland Policy on Copying and Using Computer Software. Most software that resides on the computing and networking facilities is owned by the County of Rockland or third parties, and is protected by copyright and other laws, together with licenses and other contractual agreements. Users are required to respect and abide by the terms and conditions of software use and redistribution licenses. Such restrictions may include prohibitions against copying programs or data for use on the computing and networking facilities or for distribution outside the County of Rockland; against the resale of data or programs, or the use of them for non-County purposes or for financial gain; and against public disclosure of information about programs (e.g., source code) without the owner’s authorization. County employees who develop new packages that include components subject to use, copying, or redistribution restrictions have the responsibility to make any such restrictions known to the users of those packages.

Harassment 

County policy prohibits sexual and discriminatory harassment. The County’s computing and networking facilities are not to be used to libel, slander, or harass any other person. The following constitute examples of Computer Harassment:

Intentionally using the computer to annoy, harass, terrify, intimidate, threaten, offend or bother another person by conveying obscene language, pictures, or other materials or threats of bodily harm to the recipient or the recipient’s immediate family;

Intentionally using the computer to contact another person repeatedly with the intent to annoy, harass, or bother, whether or not any actual message is communicated, and/or where no purpose of legitimate communication exists, and where the recipient has expressed a desire for the communication to cease;

Intentionally using the computer to contact another person repeatedly regarding a matter for which one does not have a legal right to communicate, once the recipient has provided reasonable notice that he or she desires such communication to cease (such as debt collection);

Intentionally using the computer to invade the privacy, academic or otherwise, of another or the threatened invasion of the privacy of another. 

The display of offensive material in any publicly accessible area is likely to violate the County harassment policy. There are materials available on the Internet and elsewhere that some members of the County of Rockland community will find offensive. One example is sexually explicit graphics. The County of Rockland has determined that its display in a publicly accessible area to be inappropriate. Public display includes, but is not limited to, publicly accessible computer screens and printers.  

Wasteful Use of Network Resources

1)    It is inappropriate use to deliberately perform any act that will impair the operation of any part of the computing and networking facilities or deny access by legitimate users to any part of them. This includes but is not limited to wasting resources, tampering with components or reducing the operational readiness of the facilities.

2)    The willful wasting of computing and networking facilities resources is inappropriate use. Wastefulness includes but is not limited to passing chain letters, willful generation of large volumes of unnecessary printed output or disk space, willful creation of unnecessary multiple jobs or processes, or willful creation of heavy network traffic. In particular, the practice of willfully using the County of Rockland’s computing and networking facilities for the establishment of frivolous and unnecessary chains of communication connections is an inappropriate waste of resources.

3)    The sending of random mailings (“junk mail”) is prohibited. It is poor etiquette at best, and harassment at worst, to deliberately send unwanted mail messages to strangers. Recipients who find such junk mail objectionable should contact the sender of the mail, and request to be removed from the mailing list. If the junk mail continues, the recipient should contact their Department Head.  

Game Playing/Gambling 

County computing and network services are not to be used for extensive or competitive recreational game playing or gambling activities.

Commercial Use 

The County of Rockland provides county computing and network facilities for the support of its mission. It is inappropriate to use the computing and networking facilities for:  

• Commercial gain or placing a third party in a position of commercial advantage.

• Any non-County related activity, including non-County related communications.

• Commercial advertising or sponsorship except where such advertising or sponsorship is clearly related to or supports the mission of the County of Rockland or the service being provided.

Use for Personal Business 

County computing and network facilities may not be used in connection with compensated work or activities and outside work for the benefit of organizations or individuals that are not related to the business purposes of County of Rockland. 

Additional Guidelines at Local Sites 

The County of Rockland computing and network facilities are composed of many “sites.” Each site may have local rules and regulations that govern the use of computing and network facilities at that site. Each site has operators, consultants, and/or supervisors who have been given the responsibility to supervise the use of that site. Each site has an administrator (Custodian) with overall policy responsibility for the site. Users are expected to cooperate with these individuals and comply with county and local site policies. Site policies may be more restrictive than County policy. It is the intention that the County of Rockland Security Policy represents a minimum standard. Local administrators may impose more restrictive policies, which become their responsibility to administer.

Connection to the Enterprise-Wide Data Network. 

Most campus buildings are included in the Enterprise Network. To maintain the integrity of the County of Rockland computing and network facilities, connections to the enterprise network are made only by specialized personnel under the direction of the MIS unit. Users are encouraged to attach appropriate equipment only at existing user-connection points. All requests for additional network connections or for the relocation of a connection should be directed to the Assistant Director of  MIS, Customer Service.

Use of Desktop Systems 

Users are responsible for the security and integrity of County information stored on their personal desktop system. This responsibility includes making regular disk backups, controlling physical and network access to the machine, and  using virus protection software. Users should avoid storing passwords or other information that can be used to gain access to other campus computing resources. 

Passwords should be memorized - never written down and should be at least 8 characters/numbers/special characters long.

Passwords belong to individuals and must never be shared with anyone else.

Passwords should be changed every 30 to 90 days, or immediately if compromised. 

System Custodians should regularly run password-cracking software against their password files to identity weak passwords. 

Utilize password facilities to ensure that only authorized users can access the system. Where the desktop is located in an open space, or is otherwise difficult to physically secure, consideration should be given to enhanced password protection mechanisms and procedures.  Include password protected screensavers. 

Password Guidelines

Length should be a minimum of eight characters.

Avoid words found in the dictionary and include at least one numeric character. (Six-character passwords may suffice for non-dictionary words.)

Choose passwords not easily guessed by someone acquainted with the user. (For example, passwords should not be maiden names, or names of children, spouses, or pets.)

Do not write passwords down anywhere.

Change passwords periodically.

Do not include passwords in any electronic mail message. 

Observe the following guidelines when choosing your password:

NEVER make your password a name or something familiar, like your pet, your children, or partner. Favorite authors and foods are also easily guessed.

NEVER make your password be composed of the word ‘password’ or ‘secret’ or be blank.

NEVER, under any circumstances, should your password be the same as your username or your real name.

Do not have a password consisting of a word from a dictionary in any language. These can easily be broken with simple password cracking tools.

Choose a password with a number or mixed case letters. Simple substitutions like a ‘1’ for an ‘i’, and ‘0’ for an ‘O’ are easily guessed. Add a ‘%’ or ‘$’ to the middle of the password.

Add a number in the middle of your password.

Choose something than can be remembered, typed quickly and accurately and includes character other than lowercase letters.

Examples:

• Made-up “words” - chok-bel (can be “pronounced”, has a punctuation character)

• Personal acronyms - ihc,alt (I Hate Coffee, And Love Tea)

• Invert syllables - sick.sea (instead of ‘seasick’)

• ALWAYS have a password on your EMAIL account, with the same above guidelines.

All users wishing to establish a connection with County computers via the Internet must authenticate themselves at a firewall before gaining access to County internal network as soon as this connection is available.

Staff may not establish modems, Internet or other external network connections that could allow non-County users to gain access to County systems and/or networks and County information. Staff must apply to the Director of MIS for access to external network connections through a modem pool. No modems are allowed on individual computers.

All access to external networks MUST be approved and configured by MIS only.

Likewise, unless the Director of MIS has approved in advance, users are prohibited from using new or existing Internet connections to establish new communication channels. These channels include electronic data interchange (EDI) arrangements, electronic malls with on-line shopping, on-line database services. 

Reporting Security Problems 

The Director of MIS must be notified immediately when:

Sensitive County information is lost, disclosed to unauthorized parties, or suspected of being lost or disclosed to unauthorized parties.

Unauthorized use of County information systems has taken place, or is suspected of taking place.

Passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed.

There is any unusual systems behavior, such as missing files, frequent system crashes, misrouted messages. 

Security problems should not be discussed widely but should instead be shared on a need-to-know basis.

Users must not attempt to probe computer security mechanisms at County or other Internet sites. If users probe security mechanisms, alarms will be triggered and County resources will needlessly be spent tracking the activity.  

Desktop computers are personal workstations which, though possibly linked to other computers via a Local Area Network, function as stand-alone units. Desktop computers include IBM-compatible PC’s, Macintoshes, and Unix Workstations. 

Users and custodians of desktop computers are subject to the “Conditions of Use” and “Code of Practice” specified in the County’s Security Policy. 

As County networks and computers are the property of the County of Rockland, the County of Rockland retains the right to allow authorized County officers to monitor and examine the information stored within.

It is recommended that personal confidential material not be stored on or sent through County equipment.

Users must ensure the integrity of their password and abide by County policy on password security (see page 13).

Confidential information should be redirected only where there is a need and with the permission of the originator, where possible.     

Lap top computers are used by County of Rockland employees for internal and external communication and to support County business functions to their fullest capacity. This policy advises employees and department heads of their responsibilities and provides guidance in managing distribution and usage. 

Lap top computers are to be provided to employees based on demonstrated need and job function as approved by the Department Head. This includes but is not limited to employees whose positions involve on-call duties, employees who during the normal course of employment perform their duties away from their assigned work space, and employees who have demonstrated a need to be in contact with their office via e-mail and communication interfaces.

Use of Laptops Computers

• Be releasable to the public under the Freedom of Information Law.

•  Be subject to discovery proceeding in legal actions.

Employees must take every effort to insure the security, safety and maintenance of the lap top computer. Any misuse of lap top computer will result in appropriate disciplinary action in accordance with appropriate collective bargaining agreements in effect. 

The County of Rockland or designee will periodically review and update this policy as new technologies and organizational changes are planned and implemented. Questions concerning this policy should be directed to County Executive’s Office. 

Lock offices. Office keys should be registered and monitored to ensure they are returned when the owner leaves the County of Rockland.

Secure desktops in public areas. Equipment located in publicly accessible areas or rooms that cannot be locked should be fastened down by a cable lock system or enclosed in a lockable computer equipment unit or case.

Secure hard disks. External hard disks should be secured against access, tampering, or removal.

Secure screen with a password protected screensaver. Use the same security guidelines as for other passwords.

Locate computers away from environmental hazards.

Store critical data backup media in fireproof vaults or in another building.

Register all County computers.   

Back up and store important records and programs on a regular schedule.

Check data and software integrity.

Setup and perform regular maintenance including virus scans, disk defragmentation, regular scanning of disk for errors and deletion of unnecessary files

Fix software problems immediately. 

Encrypt sensitive and confidential information where appropriate when possible.

Monitor printers used to produce sensitive and confidential information.

Overwrite sensitive files on fixed disks, floppy disks, or cartridges. 

Copyright law protects software. Unauthorized copying is a violation of the County of Rockland copyright policy. Anyone who uses software should understand and comply with the license requirements of the software. The County of Rockland is subject to random license audits by software vendors. 

Computer viruses are self-propagating programs that infect other programs. Viruses and worms may destroy programs and data as well as using the computer’s memory and processing power. Viruses, worms, and Trojan horses are of particular concern in networked and shared resource environments because the possible damage they can cause is greatly increased. These can cause damage by exploiting holes in system software. Fixes to infected software should be made as soon as a problem is found.

Networked computers may require more stringent security than stand-alone computers because they are access points to computer networks.

While the County of Rockland WAN administrators have responsibility for setting up and maintaining appropriate security procedures on the network, each individual is responsible for operating their own computer with ethical regard for others in the shared environment.

The following considerations and procedures must be emphasized in a network environment:

Check all files downloaded from the Internet. Avoid downloading shareware files.  Obtain permission from the Department Head before downloading any large files over 2 megabytes. Large files can be downloaded only after 4:30 p.m. This includes email attachments.

Test all software before it is installed to make sure it doesn’t contain a virus/worm that could have serious consequences for other personal computers and servers on the County network.

Choose passwords with great care to prevent unauthorized use of files on networks or other personal computers.

Always back-up important files.

Use (where appropriate) encrypting/decrypting and authentication services to send confidential information over the County’s network.

Violations of these computer security policies can lead to withdrawal and/or suspension of system and network privileges and/or disciplinary action. 

The following standards of physical campus security and local area networks must be met:

Facilities must in the event that any maintenance or construction work notify the Director and Assistant Directors of MIS, Communications and Networking in advance, preferably at least (2) days, in the event that any construction or work will be done near any wiring closets or servers.

Network control equipment must be physically strong and free from unacceptable risk from flooding, vibration, dust, etc.

Internal building distribution of cables within ceiling, wall or floor cavities must be reticulated within protective conduits.

Air temperature must be controlled to within equipment defined limits.

Network electronics must be powered via uninterruptible Power Supplies (UPS) to provide the following: 

Minimum of 10 minutes’ operation in the event of a power blackout.

Adequate protection from surges and sags.

Access to areas housing network electronics will be controlled by designated MIS networking staff.

Doors to areas housing network electronics will be locked with a unique key, the distribution of which will be determined by MIS networking staff.  

Within the boundaries of the WAN, intrusion protection is required to prevent:

non-County staff from indiscriminately plugging laptop computers into any access port of the campus network

Unauthorized access of staff to the County’s strategic systems.

Only those computers belonging to staff will be allowed to function when connected to the County network. Visiting personnel wishing to access the network must have authorization from a staff member, who must apply to MIS for temporary access rights. 

One form of external access to the County network is via the County managed modem pools.  

·         No individual staff member or Department of the County will connect a modem capable of receiving incoming calls to the County network without the express permission of the MIS department, who will stipulate a minimum set of operating criteria to ensure that security of the network is not compromised.

The MIS department will operate and manage the County modem facility using the following criteria:

All modem pools will be password protected.

Staff passwords will be activated on request for service and will be mirrored from the central MIS networking computer system. Password security policy for the central system will therefore apply to the modem authentication system.

Passwords are maintained on the central computing system and the modem pool.

The Department of Personnel must give notification of staff resignation, redundancy or retirement, and those accounts must be disabled or removed from the central system - and therefore the modem authentication system. 

All County employees and contractors who have remote access to the network systems are responsible to follow all policies and procedures outlined in this security document.  Contractors are required to provide the county proof of Security Bonding and Confidentiality affidavits. 

Protection from illegal entry from public Regional and Wide Area networks is usually provided by network firewalls*.  However, with the diverse nature of the County’s business and the public nature of the services that it delivers, firewall solutions are not sufficient. Some of the County’s customers are external to the campus and may use the public networks to access County research and library material. Also, staff can be mobile, requiring access to the County network from various external locations.

Because of the nature of Wide Area Networks (WAN) there are only limited security measures that can be taken.  Security Policy for Strategic Systems must rely heavily on software applications and general computer controls.  The risks of transmitting information over the WAN must be considered when:

Determining the nature of information to be sent over the WAN.

Granting approval for new applications that involve the transmission of information over the WAN.

The firewall (perimeter device system) configurations review and upgrade are to be done on a weekly basis.

For desktop workstations the County has selected and standardized on the Microsoft Office  Suite, which includes Word, Excel, Access and PowerPoint and other approved software packages used by various County departments.  Our standardized GroupWare network software product is Novell GroupWise.

All other requested desktop, network software products and proposed systems purchases, upgrades and enhancements must be approved by a department manager who attests that the software being purchased will be used in the pursuit of County business related objectives. Additionally, once approved for purchase by a department manager, the contemplated software must be approved and certified by the Management Information Systems (MIS) department. The MIS department will only consider the product’s adherence to network compatibility protocols and hardware and desktop support concerns and compliance with MIS department technology strategies. Although the MIS department may be in a position to provide recommendations and assistance on the software being considered for purchase to assist the user department in its purchase decision, the MIS department will not be in a position to approve or disapprove of the user functionality of the software product being considered for purchase by the user department. Upon completion of the MIS review and certification, the purchasing process can be initiated.

All software used by County employees must be licensed originals and paid for by the user or department, unless otherwise pre approved processes and procedures have been established, such as funding through a Capital Project.  Duplicate installations of software, without proper licensing arrangements, is a violation of the vendor’s licensing agreements and should not be undertaken.

It should be noted that MIS is currently employing the use of desktop management software that inventories and monitors all workstations on the network and is able to trace all software origins and remove all unauthorized software.  

Department Heads will insure that program unit management and unit supervisors implement policies. Program unit managers and supervisors will develop and/or publicize record keeping practices in their area of responsibility including routing, format, and filing of records communicated via e-mail. They will train employees in appropriate use and be responsible for ensuring the security of physical devices, passwords, and proper usage.

The County of Rockland department network administrators and internal control (and/or internal audit) employees are responsible for e-mail security, backup, and disaster recovery to the best of their ability.

All e-mail users should: 

The County of Rockland or designee will periodically review and update this policy as new technologies and organizational changes are planned and implemented. Questions concerning this policy should be directed to County Executive’s Office.