9-4 Information Technology Professionals Policy - Section X: Operations Management Policy
Return to Information Technology Professionals Policy Table of Contents
What’s on this Page
Section X: Operations Management Policy
Read next: Section XI: Physical and Environmental Security Policy
X. Operations Management Policy
This Policy establishes information security requirements for operations management.
- Operating Procedures
- All Local Information Service Providers must have documented operating procedures related to information security including but not limited to:
- Processing and handling information;
- Securely, handling and transporting storage media;
- Handling unexpected outages or technical difficulties; and
- Restart and recovery procedures.
- Procedures must be verified by the Local Information Service Provider’s Information Security Representative to ensure they implement the desired Policy or Standard.
- Procedures must be kept up to date by authorized staff and stored in a secure location.
- All Local Information Service Providers must have documented operating procedures related to information security including but not limited to:
- Separation of Duties
- To reduce the risk of accidental or deliberate system misuse, separation of duties must be implemented where practical.
- Whenever separation of duties cannot be implemented, other compensating controls such as monitoring of activities, audit trails and management supervision must be implemented. At a minimum, the audit of security must remain separate and independent from the security function (i.e., security administration and security audits must be performed by different persons).
- Protection from Malicious Code
Software and associated controls must be implemented across Local Agency networks to prevent and detect the introduction of malicious code. The type of controls and frequency of updating signature files must be commensurate with the value and sensitivity of the information at risk. - Back-Up, Storage, Restoration
Local Information Service Providers must develop and maintain plans to meet the IT backup and recovery requirements of the Local Agency they support.
Procedures and requirements of the plan include:- Ensuring backups are protected from being destroyed or read by unauthorized personnel;
- Storing a full backup copy in an environmentally protected, access-controlled, off-site storage location;
- Ensuring backup procedures and implementing activities (recording, retaining, and purging) comply with the California Public Records Act and County/Local Agency retention schedules; and
- Performing and documenting regularly scheduled restoration tests to ensure backup data can be recovered.
- IT Resource Monitoring
Administrative Policy 9-2: Information Technology Use and Security Policy manual Section IV.B. Use of Local Agency IT resources and Data establish the Local Information Service Provider’s right to monitor and log all activities on the IT resources they own, control or manage for security, network maintenance and/or policy compliance.- Where technically feasible, audit logs recording policy exceptions and other security related events must be produced and kept to assist in future investigations and access control monitoring.
- All logged events must reflect accurate date and time stamps.
- All audit logs must be retained in accordance with Local Information Service Provider standards.
- All audit logs must be classified as restricted data and protected accordingly.
- Review of audit logs must be commensurate with the nature and degree of criticality of the Local Agency IT resources and data involved.